[
https://issues.apache.org/jira/browse/WW-5376?focusedWorklogId=958694&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-958694
]
ASF GitHub Bot logged work on WW-5376:
--------------------------------------
Author: ASF GitHub Bot
Created on: 25/Feb/25 11:05
Start Date: 25/Feb/25 11:05
Worklog Time Spent: 10m
Work Description: kusalk commented on PR #1234:
URL: https://github.com/apache/struts/pull/1234#issuecomment-2681590856
> Do I get it right that users should import `struts2-bom` to get all the
needed dependencies?
That's correct, users should continue using the existing Struts BOM
coordinates, no changes are required on their end. All the unrelated
dependencies will no longer be included in the BOM after this change is merged.
Issue Time Tracking
-------------------
Worklog Id: (was: 958694)
Time Spent: 1h 50m (was: 1h 40m)
> struts2-bom should not pull in non-struts dependencies from struts2-parent
> --------------------------------------------------------------------------
>
> Key: WW-5376
> URL: https://issues.apache.org/jira/browse/WW-5376
> Project: Struts 2
> Issue Type: Bug
> Reporter: Tyler King
> Priority: Minor
> Fix For: 6.8.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> The parent of struts-bom pom file is the struts2-parent pom file. The
> struts2-parent pom file includes a dependencyManagement section with many
> non-struts dependencies (including test dependencies such as junit and
> mockito), which are inherited in the struts-bom pom file. This is bad
> practice for a bom file since consumers of that bom will have versions for
> dependencies unrelated to struts locked down.
> See [https://www.garretwilson.com/blog/2023/06/14/improve-maven-bom-pattern]
> and [https://github.com/apache/logging-log4j2] for an example of how they
> have both parent and bom pom files
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
