[ https://issues.apache.org/jira/browse/MENFORCER-432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700887#comment-17700887 ]
Marcono1234 commented on MENFORCER-432: --------------------------------------- 3.2.1 is affected as well. I have now included a specific example in the description; sorry that I did not provide that initially already. > requireUpperBoundDeps support for checking dependencyManagement > --------------------------------------------------------------- > > Key: MENFORCER-432 > URL: https://issues.apache.org/jira/browse/MENFORCER-432 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Standard Rules > Affects Versions: 3.1.0, 3.2.1 > Reporter: Marcono1234 > Priority: Minor > Fix For: waiting-for-feedback > > > For projects which are either used as parent by other projects, or which are > used as Bill of Materials (BOM) and which declare dependencies in the > {{dependencyManagement}} it would be useful if {{requireUpperBoundDeps}} was > able to check the dependencies in the {{dependencyManagement}}. This would > allow verifying that the versions of these managed dependencies are correct > and do not cause any issues for consuming projects. > Currently {{requireUpperBoundDeps}} seems to only check regular dependencies; > this prevents it from being used directly on the parent / BOM project, but > requires applying it on all consuming projects. > It would be quite useful to already detect conflicting dependency versions > directly in the parent / BOM project. > Maybe a separate option for this (e.g. {{checkDependencyManagement}}) would > be useful to allow enabling / disabling this check. > It appears maven-dependency-tree already determines those managed > dependencies in {{DefaultDependencyCollectorBuilder}} respectively > {{Maven31DependencyCollectorBuilder}} (in older versions), but does not > expose this information. > h3. Example > {code:xml} > <project> > <modelVersion>4.0.0</modelVersion> > <groupId>com.example</groupId> > <artifactId>my-bom</artifactId> > <version>1</version> > <packaging>pom</packaging> > <dependencyManagement> > <!-- Example from > https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html > --> > <dependencies> > <dependency> > <groupId>org.slf4j</groupId> > <artifactId>slf4j-api</artifactId> > <version>1.4.0</version> > </dependency> > <dependency> > <groupId>ch.qos.logback</groupId> > <artifactId>logback-classic</artifactId> > <version>0.9.9</version> > <!-- Depends on org.slf4j:slf4j-api:1.5.0 --> > </dependency> > </dependencies> > </dependencyManagement> > <build> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-enforcer-plugin</artifactId> > <version>3.2.1</version> > <executions> > <execution> > <id>enforce</id> > <configuration> > <rules> > <requireUpperBoundDeps> > </requireUpperBoundDeps> > </rules> > </configuration> > <goals> > <goal>enforce</goal> > </goals> > </execution> > </executions> > </plugin> > </plugins> > </build> > </project> > {code} > Running {{mvn validate}} passes. Only when changing the > {{dependencyManagement}} to regular dependencies Maven Enforcer detects the > rule violation. -- This message was sent by Atlassian Jira (v8.20.10#820010)