[jira] [Created] (MENFORCER-520) Problem with

[Jira]

Pascal Knüppel created MENFORCER-520:
----------------------------------------

             Summary: Problem with <requireUpperBoundDeps>
                 Key: MENFORCER-520
                 URL: https://issues.apache.org/jira/browse/MENFORCER-520
             Project: Maven Enforcer Plugin
          Issue Type: Bug
    Affects Versions: 3.5.0
            Reporter: Pascal Knüppel


>From yesterday to today we are suddenly getting the following error:
{code:java}
[ERROR] Rule 0: 
org.apache.maven.enforcer.rules.dependency.RequireUpperBoundDeps failed with 
message:
[ERROR] Failed while enforcing RequireUpperBoundDeps. The error(s) are [
[ERROR] Require upper bound dependencies error for 
org.bouncycastle:bcprov-jdk18on:1.80 paths to dependency are:
[ERROR] +-de.governikus.autent.crucis:oidc-auth-service:3.2.1-SNAPSHOT
[ERROR]   +-de.governikus.autent.utils:autent-key-utils:5.2.0
[ERROR]     +-org.bouncycastle:bcprov-jdk18on:1.80 (managed) <-- 
org.bouncycastle:bcprov-jdk18on:1.78.1
[ERROR] and
[ERROR] +-de.governikus.autent.crucis:oidc-auth-service:3.2.1-SNAPSHOT
[ERROR]   +-de.governikus.autent.utils:autent-key-utils:5.2.0
[ERROR]     +-org.bouncycastle:bcpkix-jdk18on:1.80 (managed) <-- 
org.bouncycastle:bcpkix-jdk18on:1.78.1
[ERROR]       +-org.bouncycastle:bcutil-jdk18on:1.80.0.redhat-00001
[ERROR]         +-org.bouncycastle:bcprov-jdk18on:1.80 (managed) <-- 
org.bouncycastle:bcprov-jdk18on:1.80.0.redhat-00001
[ERROR] ]{code}
redhat just released a new version of jdk18on and bouncycastle defines a 
version range toi use always the newer version.

We do not want to use the explicit redhat-version. Is it really the right way 
to treat such versions like 1.80.0.redhat-00001 as newer than the version 
1.80.0?

I consider this behaviour rather problematic.

It would be great if we can add exclusion filters for specific version-patterns 
like `.*redhat.*` for example



--
This message was sent by Atlassian Jira
(v8.20.10#820010)