[jira] Commented: (MNG-2969) Unable to exclude a dependency from a needed plugin

[Stefano Bagnara (JIRA)]

    [ 
http://jira.codehaus.org/browse/MNG-2969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_94583
 ] 

Stefano Bagnara commented on MNG-2969:
--------------------------------------

Brian: ok, but Why are you allowed to add new dependencies to a plugin via 
dependencyManager? and why you can do exclusions for standard dependencies? If 
we trust third party authors and original dependencies then we wouldn't need 
the depependency/exclusion system at all.

About the specific issue one of our PMC members is concerned about security and 
would like to build the project fully offline and without using artifact 
previously downloaded to the repository. We do this by declaring a "stage" 
repository that have a "file://${basedir}/stage" url and placing there every 
dependency we have.

Unfortunately some plugin have plenty of dependencies and sometimes they forgot 
to declare that a dependency is only needed at compile time, so the list of 
jars needed is almost double that the jars actually being used.

> Unable to exclude a dependency from a needed plugin
> ---------------------------------------------------
>
>                 Key: MNG-2969
>                 URL: http://jira.codehaus.org/browse/MNG-2969
>             Project: Maven 2
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 2.0.6
>            Reporter: Stefano Bagnara
>
> When we add a "standard" dependency we can tune its dependency list using the 
> exclusions directive.
> THis is not possible with plugins.
> Let's say I add javacc-maven-plugin to my build/plugins section and the 
> plugin declared in its pom:
>     <dependency>
>       <groupId>org.codehaus.plexus</groupId>
>       <artifactId>plexus-utils</artifactId>
>       <version>1.0.4</version>
>     </dependency>
> And I know that this dependency is a compile dependency and I won't need it, 
> how can I tune my plugin inclusion so to not download plexus-utils?
> in <pluginManagement> I can add new dependencies to plugin (WHY is this 
> needed?) but I cannot exclude existing dependencies: isn't this a bug?
> I can add a new dependency to the plugin and add exclusions for this new 
> dependency but I cannot add an exclusion for the top-level dependencies.
> Am I missing something?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira