Travis Schneeberger opened MDEP-317 and commented

Say you depend on the foo jar and would like to exclude the servlet-api. For example:

<dependency> <groupId>com.foo</groupId> <artifactId>foo</artifactId> <version>1</version> <exclusions> <exclusion> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> </exclusion> </exclusions> </dependency>

Later the foo jar switches to using the geronimo version of the servlet spec. You upgrade to using the new foo jar and your exclusion of the javax.servlet:servlet-api is no longer valid. It would be nice if the dependency:analyze* goals could list all the exclusions that are not valid.

This type of thing happens for various reasons like:

• dependency switched to the "same" dependency but with a different groupId - technically these are different deps according to maven
• dependency changed minimum java language version where some apis are now included in the java runtime
• dependency switched to a new implementation of the same library
• dependency no longer uses a dependency

Without this kind of reporting it is very easy for an unwanted dependency slip in unnoticed.

Affects: 2.2

Issue Links:

• MDEP-922 dependency:analyze-exclusions - should report issue only in current project

• MDEP-917 dependency:analyze-exclusions - use Resolver API instead of ProjectBuilder

• MENFORCER-119 new rule to check for invalid dependency excludes

Remote Links:

• GitHub Pull Request #362
  

2 votes, 6 watchers