[ 
https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=307411#comment-307411
 ] 

Paul Gier commented on MENFORCER-138:
-------------------------------------

This looks good.  I updated the formatting based on the Maven code style 
conventions [1], and I added two simple integration tests which you can pull 
from my branch [2].  One of the integration tests exposes what I think is a 
minor bug, where you can exclude two level-3 dependencies and then the plugin 
ignores the level-2 dependency that is the parent of these deps.

Can you also add some site documentation similar to the other rules under 
src/site/apt?

[1]http://maven.apache.org/developers/committer-environment.html
[2]https://github.com/pgier/maven-enforcer/tree/MENFORCER-138
                
> Rule to ban all transitive dependencies
> ---------------------------------------
>
>                 Key: MENFORCER-138
>                 URL: https://jira.codehaus.org/browse/MENFORCER-138
>             Project: Maven 2.x Enforcer Plugin
>          Issue Type: New Feature
>          Components: Standard Rules
>            Reporter: Paul Gier
>            Assignee: Paul Gier
>
> In some projects it's necessary (or at least desirable) to have all 
> dependencies explicitly specified in pom.  We have a build requirement to use 
> a strictly controlled maven repository which includes only artifacts which 
> are necessary and have been reviewed/approved.  In order to meet this 
> requirement, each new dependency in the build much be reviewed before each 
> release.  This can be done by periodically reviewing the dependency tree and 
> cleaning up any unnecessary dependencies, but it would be more efficient if 
> the developer adding the dependency was immediately notified that new 
> (possibly unnecessary) dependencies were added to the build and not 
> explicitly defined.  The developer can immediately choose whether to exclude 
> the transitive dependency (if it's not really needed), or declare the 
> dependency and control the version using dependency management.  Doing this 
> checking up front when the build is modified is more efficient than 
> periodically reviewing the dependency tree after several upgrades may have 
> taken place.
> It In order to facilitate this use case, an enforcer rule could check that 
> all dependencies are explicitly defined unless they are specifically marked 
> to be ignored.  This would ban all transitive dependencies so that the user 
> could either add the transitive dependency directly to the pom (if it's 
> actually needed), or exclude the dependency using exclusions in the 
> dependency management, or marked to be ignored using something like an 
> <excludes> parameter similar to other standard enforcer rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply via email to