[ https://issues.apache.org/jira/browse/MGPG-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824936#comment-17824936 ]
Elliotte Rusty Harold edited comment on MGPG-111 at 3/9/24 12:42 PM: --------------------------------------------------------------------- Interesting blog article. After reading it, I'm not surprised that maven-dependency-analyzer doesn't pick up "dependency grouping". It's essentially a hack that uses undeclared transitive dependencies instead of declared direct dependencies,. I suppose you might make a case for that, but it's the opposite of what maven-dependency-plugin: analyze is trying to check. My personal opinion is that developers should bite the bullet and declare all their direct dependencies and only direct dependencies. Use a BOM to set versions of related projects, but not to add dependencies to the tree. Anything else runs counter to the design of Maven and the Maven repository system, and will cause more problems than it solves.The design of the Maven repo system is far from perfect, but it's what we've got, and we can't hack changes into it. Anything better would require a complete rethink of everything beyond jar files and classpaths. It's the classic antipattern of someone wishing the system were other than it is, and trying to pound the round peg into a square hole by using a bigger hammer. Other examples of this antipattern include "functional" programming in Java, various schemes to avoid declaring and handling checked exceptions, and any number of faster XML parsers that achieve speed by changing or subsetting the XML spec. was (Author: elharo): Interesting blog article. After reading it, I'm not surprised that maven-dependency-analyzer doesn't pick up "dependency grouping". It's essentially a hack that uses undeclared transitive dependencies instead of declared direct dependencies,. I suppose you might make a case for that, but it's the opposite of what maven-dependency-plugin: analyze is trying to check. My personal opinion is that developers should bite the bullet and declare all their direct dependencies and only direct dependencies. Use a BOM to set versions of related projects, but not to add dependencies to the tree. > Clean upn dependency declarations > --------------------------------- > > Key: MGPG-111 > URL: https://issues.apache.org/jira/browse/MGPG-111 > Project: Maven GPG Plugin > Issue Type: Dependency upgrade > Reporter: Elliotte Rusty Harold > Priority: Minor > > [WARNING] Used undeclared dependencies found: > [WARNING] org.apache.maven:maven-artifact:jar:3.9.6:provided > [WARNING] org.apache.maven:maven-settings:jar:3.9.6:provided > [WARNING] com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile > [WARNING] org.apache.maven.resolver:maven-resolver-impl:jar:1.9.18:provided > [WARNING] Unused declared dependencies found: > [WARNING] com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile > [WARNING] org.codehaus.plexus:plexus-cipher:jar:2.0:compile -- This message was sent by Atlassian Jira (v8.20.10#820010)