[
https://issues.apache.org/jira/browse/MNG-7238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939413#comment-17939413
]
Guillaume Nodet commented on MNG-7238:
--------------------------------------
I'll close subtasks for now, there's no point in keeping them if there's no
clear solution yet.
I find this feature interesting, but hard to implement.
This is a bit similar (though at a different level) to having an external
source of signatures to validate downloaded artifacts, I think it may be easier
to maintain as a separate repository.
> Dependency deprecation indicators
> ---------------------------------
>
> Key: MNG-7238
> URL: https://issues.apache.org/jira/browse/MNG-7238
> Project: Maven
> Issue Type: New Feature
> Reporter: Chris Kilding
> Priority: Major
>
> I would like to propose a new Maven feature: dependency deprecation
> indicators.
> In a nutshell, the idea is to let maintainers set a 'deprecated' metadata
> indicator on a Maven artifact in a repository. This will indicate to users
> that the artifact should no longer be used.
> The Maven CLI tools could then react to deprecation indicators in the
> appropriate ways:
> * {{mvn}} itself: Print a warning when deprecated dependencies are seen.
> * Maven Enforcer Plugin: Add a {{<banDeprecatedDependencies>}} rule which
> throws an error when deprecated dependencies are seen. (Also have a 'skip'
> property which allows the rule to be temporarily bypassed if needed.)
> * Maven Dependency Tree: Print a {{[deprecated]}} notice next to any
> deprecated dependency in the tree.
> We can also envisage automated agents like Dependabot or Snyk using these
> indicators to alert developers about deprecated dependencies in their stacks,
> and even assisting developers to remove them.
> Some of the major build tools outside the JVM already have deprecation
> indicators:
> * NPM: [https://docs.npmjs.com/cli/v7/commands/npm-deprecate]
> * Nuget:
> [https://docs.microsoft.com/en-us/nuget/nuget-org/deprecate-packages]
> * Composer:
> [https://tomasvotruba.com/blog/2017/07/03/how-to-deprecate-php-package-without-leaving-anyone-behind/]
> * Cocoapods: [https://guides.cocoapods.org/syntax/podspec.html#deprecated]
> So the feature has precedent, and I believe it would be useful to have in
> Maven.
> This Jira ticket follows up from the conversation "Feature proposal:
> Dependency deprecation indicators" on the maven-dev mailing list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
