Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce set of transitive deps #707

Closed
jglick opened this issue Mar 9, 2023 · 1 comment
Closed

Enforce set of transitive deps #707

jglick opened this issue Mar 9, 2023 · 1 comment

Comments

@jglick
Copy link
Member

jglick commented Mar 9, 2023
edited
Loading

(split from #705 (comment))

As of jenkinsci/maven-hpi-plugin#130 if your plugin bundles some library which has transitive deps, you get a warning in the build log alerting you to possibly unintentional elements, but who looks at that? Would be better to mechanically enforce the set. This would be incompatible, so it has to be as easy as possible to adapt. For example

[INFO] --- maven-hpi-plugin:3.38:hpi (default-hpi) @ artifact-manager-s3 ---
[INFO] Generating …/artifact-manager-s3-plugin/target/artifact-manager-s3/META-INF/MANIFEST.MF
[INFO] Checking for attached .jar artifact ...
[INFO] Generating jar …/artifact-manager-s3-plugin/target/artifact-manager-s3.jar
[INFO] Building jar: …/artifact-manager-s3-plugin/target/artifact-manager-s3.jar
[INFO] Exploding webapp...
[INFO] Copy webapp webResources to …/artifact-manager-s3-plugin/target/artifact-manager-s3
[INFO] Assembling webapp artifact-manager-s3 in …/artifact-manager-s3-plugin/target/artifact-manager-s3
[WARN] Bundling transitive dependency gson-2.8.9.jar (via aws-s3)
[WARN] Bundling transitive dependency guice-assistedinject-5.0.1.jar (via aws-s3)
[WARN] Bundling transitive dependency commons-io-2.11.0.jar (via tika-core)
[WARN] Bundling transitive dependency javax.ws.rs-api-2.0.1.jar (via aws-s3)
[WARN] Bundling transitive dependency s3-2.5.0.jar (via aws-s3)
[WARN] Bundling transitive dependency sts-2.5.0.jar (via aws-s3)
[INFO] Bundling direct dependency aws-s3-2.5.0.jar
[WARN] Bundling transitive dependency jclouds-blobstore-2.5.0.jar (via aws-s3)
[WARN] Bundling transitive dependency jclouds-core-2.5.0.jar (via aws-s3)
[INFO] Bundling direct dependency tika-core-2.7.0.jar
[INFO] Generating hpi …/artifact-manager-s3-plugin/target/artifact-manager-s3.hpi
[INFO] Building jar: …/artifact-manager-s3-plugin/target/artifact-manager-s3.hpi

could be replaced by INFO messages if you were required to also add one thing to properties like

<hpi.transitive.deps>commons-io gson guice-assistedinject javax.ws.rs-api jclouds-blobstore jclouds-core s3 sts</hpi.transitive.deps>

and the failing build prompted you to add that.

Subsequently, if some Dependabot update caused the set of transitive dependencies to grow or shrink, that PR build would fail until you edited the line, signaling your approval of the change.
@jglick
Copy link
Member Author

jglick commented Nov 28, 2023

jenkinsci/maven-hpi-plugin#557 (forgot I had filed it here)

@jglick jglick closed this as not planned Won't fix, can't repro, duplicate, stale Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jglick