brunoborges opened a new pull request, #1599: URL: https://github.com/apache/maven-dependency-plugin/pull/1599
## Summary This PR adds three new goals to the Maven Dependency Plugin: `dependency:add`, `dependency:remove`, and `dependency:search`. These goals bring Maven's CLI experience closer to what npm, Cargo, pip, and NuGet offer — a single command to manage dependencies without manually editing XML. ### Motivation Every major dependency management ecosystem provides a single-command way to add a dependency: - **Python:** `pip install google-adk` - **Node:** `npm install @google/adk` - **Rust:** `cargo add google-adk` - **.NET:** `dotnet add package Google.Adk` - **Maven:** _(manual XML editing required)_ This friction is a barrier for developers coming from other ecosystems, and for AI coding agents where a CLI invocation is significantly cheaper than instructing an XML edit. ### New Goals #### `dependency:add` Adds a dependency to the project's `pom.xml`: ```bash mvn dependency:add -Dgav="com.google.adk:google-adk:1.0.0" mvn dependency:add -DgroupId=com.google.adk -DartifactId=google-adk -Dversion=1.0.0 -Dscope=test mvn dependency:add -Dgav="com.google.adk:google-adk:1.0.0" -Dmanaged # into <dependencyManagement> mvn dependency:add -Dgav="org.springframework.boot:spring-boot-dependencies:3.2.0" -Dbom # BOM import ``` Features: - GAV shorthand or explicit `-DgroupId/-DartifactId/-Dversion` parameters - `-Dmanaged` flag for `<dependencyManagement>` section - `-Dbom` shorthand for BOM imports (`type=pom`, `scope=import`) - `-Dmodule` to target a specific child module - `-Dprofile` to target a specific Maven profile - `-DupdateExisting` to update version/scope/type of existing dependencies - Version inference from parent `<dependencyManagement>` - `NONE` sentinel to clear scope/type/classifier during updates - Duplicate detection with type/classifier-aware matching - Property-interpolation cross-reference (blocks add when coords use properties) - Parent POM inheritance warning in multi-module projects #### `dependency:remove` Removes a dependency from the project's `pom.xml`: ```bash mvn dependency:remove -Dgav=com.google.adk:google-adk mvn dependency:remove -DgroupId=com.google.adk -DartifactId=google-adk -Dmanaged ``` Features: - Same parameter surface as `dependency:add` (`-Dmanaged`, `-Dmodule`, `-Dprofile`, `-Dbom`) - Type/classifier-aware matching for precise removal - Child module safety check (warns when removing a managed dependency that child modules depend on without explicit version) - Comment cleanup (removes associated XML comments) #### `dependency:search` Queries Maven Central for artifacts: ```bash mvn dependency:search -Dquery=google-adk mvn dependency:search -Dquery=jackson -Drows=20 ``` Features: - Interactive TUI mode with artifact browsing, version selection, and copy-paste-ready `mvn dependency:add` commands - Non-interactive tabular output for CI/scripted use - Structured queries (`g:com.google.adk`, `a:google-adk`) ### Implementation Details - **POM editing:** Uses DOM-level XML manipulation (`javax.xml.parsers`) to preserve formatting, comments, indentation, encoding, BOM markers, and XML declarations - **Security:** XXE/DOCTYPE protection enabled, scope validation, root element validation - **Robustness:** Atomic writes (temp file + rename), namespace-aware parsing, BOM character detection - **Search:** Manual JSON parsing (no additional runtime dependencies beyond the plugin's existing deps) - **Extends `AbstractDependencyMojo`:** Add and Remove goals use constructor injection and follow the existing `doExecute()` pattern. Search extends `AbstractMojo` directly (`requiresProject=false`). ### Testing - **438 unit tests** pass (30 DependencyCoordinates + 36 PomEditor + 22 AddDependencyMojo + 14 RemoveDependencyMojo + 14 SearchDependencyMojo + 19 SearchDependencyMojoHttp + existing tests) - **6 integration test projects** (add basic/gav-shorthand/managed, remove basic/not-found, search basic) - Edge cases covered across 12+ audit rounds: encoding, namespaces, BOM markers, empty collections, property interpolation, concurrent fields, interactive TUI, profile targeting, NONE sentinels, etc. ### Documentation - Comprehensive `specification.md` with parameter tables, behavioral matrices, and design decisions - Site page: `src/site/apt/examples/cli-dependency-management.apt.vm` - Full Javadoc on all public classes and methods - `@since 3.11.0` annotations on all new classes ### Checklist Following this checklist to help us incorporate your contribution quickly and easily: - [x] Your pull request should address just one issue, without pulling in other changes. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [x] Each commit in the pull request should have a meaningful subject line and body. Note that commits might be squashed by a maintainer on merge. - [x] Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. - [x] Run `mvn verify` to make sure basic checks pass. A more thorough check will be performed on your pull request automatically. - [ ] You have run the integration tests successfully (`mvn -Prun-its verify`). To make clear that you license your contribution under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) you have to acknowledge this by using the following check-box. - [x] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
