Return-Path: X-Original-To: apmail-maven-users-archive@www.apache.org Delivered-To: apmail-maven-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1F1301859A for ; Thu, 12 Nov 2015 22:20:54 +0000 (UTC) Received: (qmail 39671 invoked by uid 500); 12 Nov 2015 22:20:49 -0000 Delivered-To: apmail-maven-users-archive@maven.apache.org Received: (qmail 39607 invoked by uid 500); 12 Nov 2015 22:20:49 -0000 Mailing-List: contact users-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Users List" Reply-To: "Maven Users List" Delivered-To: mailing list users@maven.apache.org Received: (qmail 39407 invoked by uid 99); 12 Nov 2015 22:20:49 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Nov 2015 22:20:49 +0000 Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com [209.85.214.180]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 0C4D31A041D for ; Thu, 12 Nov 2015 22:20:48 +0000 (UTC) Received: by obdgf3 with SMTP id gf3so59587012obd.3 for ; Thu, 12 Nov 2015 14:20:48 -0800 (PST) X-Received: by 10.182.79.103 with SMTP id i7mr10398646obx.41.1447366848296; Thu, 12 Nov 2015 14:20:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.202.69.197 with HTTP; Thu, 12 Nov 2015 14:20:18 -0800 (PST) In-Reply-To: References: <56450767.6090507@gmx.de> From: Jeff Jensen Date: Thu, 12 Nov 2015 16:20:18 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Locking down dependency versions... To: Maven Users List Cc: info@soebes.de Content-Type: multipart/alternative; boundary=047d7b2e4d34da5fc505245f5a37 --047d7b2e4d34da5fc505245f5a37 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I suggest reviewing the enforcer plugin [0] to see if any of its rules can help you. Specifically, I wonder about [1] and [2]. I like to use many of these rules to help keep a resilient build. The main hassle is some dependencies "bleed", but usually just need to exclude their transitives or work with the source product to help them cleanup their pom (and sometimes it's because "your" pom didn't declare a version for a previously unknown transitive :-). [0] http://maven.apache.org/enforcer/maven-enforcer-plugin/ [1] http://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html [2] http://maven.apache.org/enforcer/enforcer-rules/banTransitiveDependencies.h= tml On Thu, Nov 12, 2015 at 4:00 PM, Kevin Burton wrote: > Just regular dependency versions. > > So if we're using 1.0.1 of library A I don't want adding adding library B > to transitively change our dependency on library A... > > This has happened to us before and caused problems. > > On Thu, Nov 12, 2015 at 1:40 PM, Karl Heinz Marbaise > wrote: > > > Hi Kevin, > > > > On 11/12/15 10:22 PM, Kevin Burton wrote: > > > >> Is there a maven module that can lock down dependency versions? > >> > > > > Are you talking about SNAPSHOT's or something different? > > > > > >> I have a custom / in house script we wrote that writes a .dependencies > >> file > >> with the jar dependencies. > >> > >> If we commit without updating it, CI will fail with an error because y= ou > >> didn't manually approve the change by regenerating the .dependencies > file. > >> > >> This way we don't have to worry about a radical dependency change due > to a > >> new dependency breaking our tree. > >> > >> The problem is I'm starting to break off our code into sub-projects an= d > >> I'd > >> like to use this everywhere. > >> > >> Kevin > >> > >> > > > > Kind regards > > Karl Heinz Marbaise > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org > > For additional commands, e-mail: users-help@maven.apache.org > > > > > > > -- > > We=E2=80=99re hiring if you know of any awesome Java Devops or Linux Oper= ations > Engineers! > > Founder/CEO Spinn3r.com > Location: *San Francisco, CA* > blog: http://burtonator.wordpress.com > =E2=80=A6 or check out my Google+ profile > > --047d7b2e4d34da5fc505245f5a37--