[ https://issues.apache.org/jira/browse/MNG-7238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412488#comment-17412488 ]
Chris Kilding commented on MNG-7238: ------------------------------------ A deprecation flag does not force anyone to remove a dependency from their stack. (It is not the equivalent of unpublishing an artifact. It does not cause build errors either - it would only print warnings, unless a developer explicitly opts in to using the proposed Enforcer rule, which is only a proposal.) The deprecation flag simply provides a structured way for downstream consumers to know that the artifact is not being maintained any more, and that it shouldn't be used. How long they leave the deprecated artifact in their application stack after that is up to them; at least they will not be under the illusion that the artifact is still maintained. Indeed, equipped with the knowledge that this feature would provide, those consumers will be able to make better informed decisions about how long to keep old dependencies and when to stop using them. > Dependency deprecation indicators > --------------------------------- > > Key: MNG-7238 > URL: https://issues.apache.org/jira/browse/MNG-7238 > Project: Maven > Issue Type: New Feature > Reporter: Chris Kilding > Priority: Major > > I would like to propose a new Maven feature: dependency deprecation > indicators. > In a nutshell, the idea is to let maintainers set a 'deprecated' metadata > indicator on a Maven artifact in a repository. This will indicate to users > that the artifact should no longer be used. > The Maven CLI tools could then react to deprecation indicators in the > appropriate ways: > * {{mvn}} itself: Print a warning when deprecated dependencies are seen. > * Maven Enforcer Plugin: Add a {{<banDeprecatedDependencies>}} rule which > throws an error when deprecated dependencies are seen. (Also have a 'skip' > property which allows the rule to be temporarily bypassed if needed.) > * Maven Dependency Tree: Print a {{[deprecated]}} notice next to any > deprecated dependency in the tree. > We can also envisage automated agents like Dependabot or Snyk using these > indicators to alert developers about deprecated dependencies in their stacks, > and even assisting developers to remove them. > Some of the major build tools outside the JVM already have deprecation > indicators: > * NPM: [https://docs.npmjs.com/cli/v7/commands/npm-deprecate] > * Nuget: > [https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages] > * Composer: > [https://tomasvotruba.com/blog/2017/07/03/how-to-deprecate-php-package-without-leaving-anyone-behind/] > * Cocoapods: [https://guides.cocoapods.org/syntax/podspec.html#deprecated] > So the feature has precedent, and I believe it would be useful to have in > Maven. > This Jira ticket follows up from the conversation "Feature proposal: > Dependency deprecation indicators" on the maven-dev mailing list. -- This message was sent by Atlassian Jira (v8.3.4#803005)