[
https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=307411#comment-307411
]
Paul Gier commented on MENFORCER-138:
-------------------------------------
This looks good. I updated the formatting based on the Maven code style
conventions [1], and I added two simple integration tests which you can pull
from my branch [2]. One of the integration tests exposes what I think is a
minor bug, where you can exclude two level-3 dependencies and then the plugin
ignores the level-2 dependency that is the parent of these deps.
Can you also add some site documentation similar to the other rules under
src/site/apt?
[1]http://maven.apache.org/developers/committer-environment.html
[2]https://github.com/pgier/maven-enforcer/tree/MENFORCER-138
> Rule to ban all transitive dependencies
> ---------------------------------------
>
> Key: MENFORCER-138
> URL: https://jira.codehaus.org/browse/MENFORCER-138
> Project: Maven 2.x Enforcer Plugin
> Issue Type: New Feature
> Components: Standard Rules
> Reporter: Paul Gier
> Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all
> dependencies explicitly specified in pom. We have a build requirement to use
> a strictly controlled maven repository which includes only artifacts which
> are necessary and have been reviewed/approved. In order to meet this
> requirement, each new dependency in the build much be reviewed before each
> release. This can be done by periodically reviewing the dependency tree and
> cleaning up any unnecessary dependencies, but it would be more efficient if
> the developer adding the dependency was immediately notified that new
> (possibly unnecessary) dependencies were added to the build and not
> explicitly defined. The developer can immediately choose whether to exclude
> the transitive dependency (if it's not really needed), or declare the
> dependency and control the version using dependency management. Doing this
> checking up front when the build is modified is more efficient than
> periodically reviewing the dependency tree after several upgrades may have
> taken place.
> It In order to facilitate this use case, an enforcer rule could check that
> all dependencies are explicitly defined unless they are specifically marked
> to be ignored. This would ban all transitive dependencies so that the user
> could either add the transitive dependency directly to the pom (if it's
> actually needed), or exclude the dependency using exclusions in the
> dependency management, or marked to be ignored using something like an
> <excludes> parameter similar to other standard enforcer rules.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira