-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: limit report to updates actionable in the context of pom.xml #1140
Comments
Have you tried setting processDependencyManagementTransitive to false? |
yes |
I can't reproduce the issue when using -DprocessDependencyManagementTransitive=false. Please provide a minimal pom.xml (or set of maven projects) reproducing the issue. For example, for the following pom.xml <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.1</version>
</parent>
<groupId>localhost</groupId>
<artifactId>parent</artifactId>
<version>1.0.0-SNAPSHOT</version>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>localhost</groupId>
<artifactId>dummy-api</artifactId>
<version>[1.0,2.3]</version>
<scope>test</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>localhost</groupId>
<artifactId>dummy-api</artifactId>
<scope>compile</scope>
</dependency>
</dependencies>
</project> mvn org.codehaus.mojo:versions-maven-plugin:2.18.0:dependency-updates-report -DprocessDependencyManagementTransitive=false the report lists |
The testcase is made up of two poms, parent/pom.xml and child/pom.xml, intentionally not placed in a single reactor build. running mvn -f child/pom.xml' versions:display-dependency-updates gives
The version of neither of both is directly specified in child/pom.xml, but inherited from parent/pom.xml, and both are ignored by e. g. versions:use-latest-version. This makes it hard to reason about what e. g. versions:use-latest-version will change. |
I'm missing the actual pom.xml files to be able to reproduce your case. |
sorry forgot to upload testcase.zip |
Thanks for the update. Not exactly sure how to tackle this. The plugin has a history and its goals do differ in behaviour ever so slightly. For example, Regarding the version of
I believe that showing an update of a dependency which is not governed by any of the project files is incorrect; it can be updated by updating the parent or bom dependencies. Even so, there exists an integration test checking for just that, added by #291. Marking as both |
Same thing is true about e.g. <dependencies>
<dependency>
<groupId>com.oracle.database.jdbc</groupId>
<artifactId>ojdbc11</artifactId>
<scope>compile</scope>
<type>jar</type>
<currentVersion>21.9.0.0</currentVersion>
<lastVersion>23.6.0.24.10</lastVersion>
<minors>
<minor>21.10.0.0</minor>
<minor>21.11.0.0</minor>
<minor>21.12.0.0</minor>
<minor>21.13.0.0</minor>
<minor>21.14.0.0</minor>
<minor>21.15.0.0</minor>
</minors>
<majors>
<major>23.2.0.0</major>
<major>23.3.0.23.09</major>
<major>23.4.0.24.05</major>
<major>23.5.0.24.07</major>
<major>23.6.0.24.10</major>
</majors>
<status>minor available</status>
</dependency>
</dependencies> |
IMHO it would be already helpful to add information about the origin of the issue, similar to what help:effective-pom -Dverbose does: <dependency>
<groupId>com.oracle.database.jdbc</groupId> <!-- org.springframework.boot:spring-boot-dependencies:3.3.4, line 1347 -->
<artifactId>ojdbc11</artifactId> <!-- org.springframework.boot:spring-boot-dependencies:3.3.4, line 1348 -->
<version>21.9.0.0</version> <!-- org.springframework.boot:spring-boot-dependencies:3.3.4, line 1349 -->
</dependency> From this, one would immediately know where to go to fix it. |
Very good idea. |
@slawekjaranowski do you think we should not show dependencies coming from parents outside of the reactor by default? |
@andrzejj0 I think that this is not a clear cut yes or no, but depends on the use case
|
Okay. I'll make the option controlling this false by default (that is, the plugin will keep its old behaviour by default). It's a good idea about showing the location of the dependency in those cases, much like what I'm currently trying to extract and use a common service for displaying dependencies, dependency reports, and perhaps even updates, which would make the behaviour there (and available options, like e.g. dependencyIncludes/excludes) consistent at once... but that's probably for a longer shot. |
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
showVersionless false filters out dependencies managed outside of the reactor verbose true adds the source of these dependencies
Added an integration test + showVersionless for dependency-updates-report
Added an integration test + showVersionless for dependency-updates-report
Added an integration test + showVersionless for dependency-updates-report
Added an integration test + showVersionless for dependency-updates-report
I found nothing similar in closed issues, if you consider this a duplicate to a previous issue, feel free to close it.
Motivation:
I'm trying to limit the reports down to a point that all listed dependencies, plugins, parent and properties version are specified in the analyzed pom.xml. Basically all inherited (upstream) issues should be ignored. I want to make it as simple and fast as possible to fix such issues without the need to reason about if a reported issue is inherited from upstream.
Example: two projects, from different reactors
report for
Possible Solutions:
The text was updated successfully, but these errors were encountered: