maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jakub Senko (JIRA)" <>
Subject [jira] (MENFORCER-138) Rule to ban all transitive dependencies
Date Mon, 03 Sep 2012 14:28:21 GMT


Jakub Senko commented on MENFORCER-138:

Thanks, I have pulled your changes, fixed the bug and created the site.
> Rule to ban all transitive dependencies
> ---------------------------------------
>                 Key: MENFORCER-138
>                 URL:
>             Project: Maven 2.x Enforcer Plugin
>          Issue Type: New Feature
>          Components: Standard Rules
>            Reporter: Paul Gier
>            Assignee: Paul Gier
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly
specified in pom.  We have a build requirement to use a strictly controlled maven repository
which includes only artifacts which are necessary and have been reviewed/approved.  In order
to meet this requirement, each new dependency in the build much be reviewed before each release.
 This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary
dependencies, but it would be more efficient if the developer adding the dependency was immediately
notified that new (possibly unnecessary) dependencies were added to the build and not explicitly
defined.  The developer can immediately choose whether to exclude the transitive dependency
(if it's not really needed), or declare the dependency and control the version using dependency
management.  Doing this checking up front when the build is modified is more efficient than
periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies
are explicitly defined unless they are specifically marked to be ignored.  This would ban
all transitive dependencies so that the user could either add the transitive dependency directly
to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency
management, or marked to be ignored using something like an <excludes> parameter similar
to other standard enforcer rules.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message