maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Scholte (Jira)" <j...@apache.org>
Subject [jira] [Commented] (MNG-7238) Dependency deprecation indicators
Date Wed, 08 Sep 2021 15:39:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-7238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412017#comment-17412017
] 

Robert Scholte commented on MNG-7238:
-------------------------------------

It doesn't belong to the model either, as this kind of information is not part of the build/release
cycle. it has its own "lifecycle".
Suppose you've released version X, and at some time you want to deprecate it. You cannot touch
the pom of X anymore as it is immutable.
And releasing Y with deprecation info about previous releases can't be the right approach
and would bite us in the end.
In my opinion we shouldn't store this information in Central, as it would cause an extra load
on these servers.


> Dependency deprecation indicators
> ---------------------------------
>
>                 Key: MNG-7238
>                 URL: https://issues.apache.org/jira/browse/MNG-7238
>             Project: Maven
>          Issue Type: New Feature
>            Reporter: Chris Kilding
>            Priority: Major
>
> I would like to propose a new Maven feature: dependency deprecation indicators.
> In a nutshell, the idea is to let maintainers set a 'deprecated' metadata indicator on
a Maven artifact in a repository. This will indicate to users that the artifact should no
longer be used.
> The Maven CLI tools could then react to deprecation indicators in the appropriate ways:
>  * {{mvn}} itself: Print a warning when deprecated dependencies are seen.
>  * Maven Enforcer Plugin: Add a {{<banDeprecatedDependencies>}} rule which throws
an error when deprecated dependencies are seen. (Also have a 'skip' property which allows
the rule to be temporarily bypassed if needed.)
>  * Maven Dependency Tree: Print a {{[deprecated]}} notice next to any deprecated dependency
in the tree.
> We can also envisage automated agents like Dependabot or Snyk using these indicators
to alert developers about deprecated dependencies in their stacks, and even assisting developers
to remove them.
> Some of the major build tools outside the JVM already have deprecation indicators:
>  * NPM: [https://docs.npmjs.com/cli/v7/commands/npm-deprecate]
>  * Nuget: [https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages]
>  * Composer: [https://tomasvotruba.com/blog/2017/07/03/how-to-deprecate-php-package-without-leaving-anyone-behind/]
>  * Cocoapods: [https://guides.cocoapods.org/syntax/podspec.html#deprecated]
> So the feature has precedent, and I believe it would be useful to have in Maven.
> This Jira ticket follows up from the conversation "Feature proposal: Dependency deprecation
indicators" on the maven-dev mailing list.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message