[
https://issues.apache.org/jira/browse/MNG-7238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412489#comment-17412489
]
Chris Kilding commented on MNG-7238:
------------------------------------
As for how to set the deprecation flag, I agree we wouldn't want to edit Maven
metadata files directly.
I would propose that there is a form in the repository Web UI (typically
Artifactory or Nexus) which allows anyone with the appropriate permissions -
that would usually be the maintainer on Central, or an admin in rare
circumstances - to deprecate/undeprecate an artifact. There is already an
artifact management form in those tools, so this would just be one more field
in that form. We would need a bit of cooperation from Sonatype and Jfrog to
build it, but that is doable.
I encourage reading the Nuget article on deprecation for an idea of what that
Web UI could look like:
[https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages].
(Personally I think Nuget includes too many fields in their deprecation
feature, and it could just be a simple boolean flag, but the point here is to
show that this is completely possible to do.)
> Dependency deprecation indicators
> ---------------------------------
>
> Key: MNG-7238
> URL: https://issues.apache.org/jira/browse/MNG-7238
> Project: Maven
> Issue Type: New Feature
> Reporter: Chris Kilding
> Priority: Major
>
> I would like to propose a new Maven feature: dependency deprecation
> indicators.
> In a nutshell, the idea is to let maintainers set a 'deprecated' metadata
> indicator on a Maven artifact in a repository. This will indicate to users
> that the artifact should no longer be used.
> The Maven CLI tools could then react to deprecation indicators in the
> appropriate ways:
> * {{mvn}} itself: Print a warning when deprecated dependencies are seen.
> * Maven Enforcer Plugin: Add a {{<banDeprecatedDependencies>}} rule which
> throws an error when deprecated dependencies are seen. (Also have a 'skip'
> property which allows the rule to be temporarily bypassed if needed.)
> * Maven Dependency Tree: Print a {{[deprecated]}} notice next to any
> deprecated dependency in the tree.
> We can also envisage automated agents like Dependabot or Snyk using these
> indicators to alert developers about deprecated dependencies in their stacks,
> and even assisting developers to remove them.
> Some of the major build tools outside the JVM already have deprecation
> indicators:
> * NPM: [https://docs.npmjs.com/cli/v7/commands/npm-deprecate]
> * Nuget:
> [https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages]
> * Composer:
> [https://tomasvotruba.com/blog/2017/07/03/how-to-deprecate-php-package-without-leaving-anyone-behind/]
> * Cocoapods: [https://guides.cocoapods.org/syntax/podspec.html#deprecated]
> So the feature has precedent, and I believe it would be useful to have in
> Maven.
> This Jira ticket follows up from the conversation "Feature proposal:
> Dependency deprecation indicators" on the maven-dev mailing list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
