[jira] [Commented] (MDEP-964) Allowlist org.glassfish:javax.json

Thu, 23 Jan 2025 04:26:04 -0800 


    [ 
https://issues.apache.org/jira/browse/MDEP-964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17916381#comment-17916381
 ] 

ASF GitHub Bot commented on MDEP-964:
-------------------------------------

elharo commented on code in PR #459:
URL: 
https://github.com/apache/maven-dependency-plugin/pull/459#discussion_r1926895627


##########
src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java:
##########
@@ -231,7 +231,7 @@ public abstract class AbstractAnalyzeMojo extends 
AbstractMojo {
      *
      * @since 2.10
      */
-    @Parameter(defaultValue = "org.slf4j:slf4j-simple::")
+    @Parameter(defaultValue = 
"org.slf4j:slf4j-simple::,org.glassfish:javax.json::")

Review Comment:
   Ping. There are two incompatible ways forward here and both have been 
requested by different people at different times. Either would be better than 
the status quo so we should choose one.
   
   Option 1: There is a non-overridable list of dependencies  we never warn 
about when they are declared but not used. A project can append to this list 
but not replace it.
   
   Option 2: There is an overridable list of dependencies  we never warn about 
when they are declared but not used. Projects can replace the entire list. 
   
   I prefer Option 1. It's simpler, and matches what almost everyone wants in 
practice. It emits fewer warnings and produces less noise. It will not break 
anyone's build. There are fewer false posiitives.
   
   I'm OK with Option 2 if necessary. I think anything beyond these two options 
adds unnecessary complexity for no real world purpose. 
   





> Allowlist org.glassfish:javax.json
> ----------------------------------
>
>                 Key: MDEP-964
>                 URL: https://issues.apache.org/jira/browse/MDEP-964
>             Project: Maven Dependency Plugin
>          Issue Type: Improvement
>            Reporter: Elliotte Rusty Harold
>            Assignee: Elliotte Rusty Harold
>            Priority: Minor
>
> found this one in our own code:
> -    <dependency>
> -      <groupId>org.glassfish</groupId>
> -      <artifactId>javax.json</artifactId>
> -      <version>1.1.4</version>
> -      <scope>test</scope>
> -    </dependency>
> It's typically loaded by reflection so not found by the analyzer. Might want 
> to list it as used iff javax.json-api is used



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to