[ https://issues.apache.org/jira/browse/MDEP-964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910164#comment-17910164 ]
ASF GitHub Bot commented on MDEP-964: ------------------------------------- elharo commented on code in PR #459: URL: https://github.com/apache/maven-dependency-plugin/pull/459#discussion_r1904085130 ########## src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java: ########## @@ -231,7 +231,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo { * * @since 2.10 */ - @Parameter(defaultValue = "org.slf4j:slf4j-simple::") + @Parameter(defaultValue = "org.slf4j:slf4j-simple::,org.glassfish:javax.json::") Review Comment: Do you want the user to replace the default list then, not simply append to it? My gut is that we should not warn on anything we're not sure about, and we're never sure about dependencies like slf4j that are commonly used by reflection. > Allowlist org.glassfish:javax.json > ---------------------------------- > > Key: MDEP-964 > URL: https://issues.apache.org/jira/browse/MDEP-964 > Project: Maven Dependency Plugin > Issue Type: Improvement > Reporter: Elliotte Rusty Harold > Assignee: Elliotte Rusty Harold > Priority: Minor > > found this one in our own code: > - <dependency> > - <groupId>org.glassfish</groupId> > - <artifactId>javax.json</artifactId> > - <version>1.1.4</version> > - <scope>test</scope> > - </dependency> > It's typically loaded by reflection so not found by the analyzer. Might want > to list it as used iff javax.json-api is used -- This message was sent by Atlassian Jira (v8.20.10#820010)