[
https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Gier updated MENFORCER-138:
--------------------------------
Description:
In some projects it's necessary (or at least desirable) to have all
dependencies explicitly specified in pom. We have a build requirement to use a
strictly controlled maven repository which includes only artifacts which are
necessary and have been reviewed/approved. In order to meet this requirement,
each new dependency in the build much be reviewed before each release. This
can be done by periodically reviewing the dependency tree and cleaning up any
unnecessary dependencies, but it would be more efficient if the developer
adding the dependency was immediately notified that new (possibly unnecessary)
dependencies were added to the build and not explicitly defined. The developer
can immediately choose whether to exclude the transitive dependency (if it's
not really needed), or declare the dependency and control the version using
dependency management. Doing this checking up front when the build is modified
is more efficient than periodically reviewing the dependency tree after several
upgrades may have taken place.
It In order to facilitate this use case, an enforcer rule could check that all
dependencies are explicitly defined unless they are specifically marked to be
ignored. This would ban all transitive dependencies so that the user could
either add the transitive dependency directly to the pom (if it's actually
needed), or exclude the dependency using exclusions in the dependency
management, or marked to be ignored using something like an <excludes>
parameter similar to other standard enforcer rules.
was:
In some projects it's necessary (or at least desirable) to have all
dependencies specified in pom. It would be nice to have an enforcer rule that
would ban all transitive dependencies so that the user could either add the
transitive dependency directly to the pom (if it's actually needed), or exclude
the dependency.
The rule should also have an option to ignore certain transitive dependencies,
possibly using a similar syntax to other rules.
Assignee: Paul Gier
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all
> dependencies explicitly specified in pom. We have a build requirement to use
> a strictly controlled maven repository which includes only artifacts which
> are necessary and have been reviewed/approved. In order to meet this
> requirement, each new dependency in the build much be reviewed before each
> release. This can be done by periodically reviewing the dependency tree and
> cleaning up any unnecessary dependencies, but it would be more efficient if
> the developer adding the dependency was immediately notified that new
> (possibly unnecessary) dependencies were added to the build and not
> explicitly defined. The developer can immediately choose whether to exclude
> the transitive dependency (if it's not really needed), or declare the
> dependency and control the version using dependency management. Doing this
> checking up front when the build is modified is more efficient than
> periodically reviewing the dependency tree after several upgrades may have
> taken place.
> It In order to facilitate this use case, an enforcer rule could check that
> all dependencies are explicitly defined unless they are specifically marked
> to be ignored. This would ban all transitive dependencies so that the user
> could either add the transitive dependency directly to the pom (if it's
> actually needed), or exclude the dependency using exclusions in the
> dependency management, or marked to be ignored using something like an
> <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
