Repository: maven Updated Branches: refs/heads/master 1d148be82 -> 4567c8319
MNG-5818: Disallow the programmatic injection of project dependencies The first step here is deprecating the publicly accessible method that allows plugins to inject dependencies. The only plugin I currently know of that does this is the cobertura-maven-plugin. Looking at that plugin it appears the user can specify the cobertura dependency for the instrumentation process but if they do not the plugin attempts to inject the dependency. I believe the path forward here is making sure these types of plugins instruct their users to add the dependency explicitly. I'm going to try and create a call-graph for all of Maven Central with my first test to see if I can accurately detect all usages of MavenProject.setDependencyArtifacts of artifact in Maven Central. Project: http://git-wip-us.apache.org/repos/asf/maven/repo Commit: http://git-wip-us.apache.org/repos/asf/maven/commit/4567c831 Tree: http://git-wip-us.apache.org/repos/asf/maven/tree/4567c831 Diff: http://git-wip-us.apache.org/repos/asf/maven/diff/4567c831 Branch: refs/heads/master Commit: 4567c8319e95d58e258e9a8c2067ed9bbe01b58e Parents: 1d148be Author: Jason van Zyl <ja...@tesla.io> Authored: Thu Apr 30 21:39:28 2015 -0400 Committer: Jason van Zyl <ja...@tesla.io> Committed: Thu Apr 30 21:39:28 2015 -0400 ---------------------------------------------------------------------- .../src/main/java/org/apache/maven/project/MavenProject.java | 2 ++ 1 file changed, 2 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/maven/blob/4567c831/maven-core/src/main/java/org/apache/maven/project/MavenProject.java ---------------------------------------------------------------------- diff --git a/maven-core/src/main/java/org/apache/maven/project/MavenProject.java b/maven-core/src/main/java/org/apache/maven/project/MavenProject.java index 8587a5c..32fcae1 100644 --- a/maven-core/src/main/java/org/apache/maven/project/MavenProject.java +++ b/maven-core/src/main/java/org/apache/maven/project/MavenProject.java @@ -995,11 +995,13 @@ public class MavenProject * @return {@link Set} < {@link Artifact} > * @see #getArtifacts() to get all transitive dependencies */ + @Deprecated public Set<Artifact> getDependencyArtifacts() { return dependencyArtifacts; } + @Deprecated public void setDependencyArtifacts( Set<Artifact> dependencyArtifacts ) { this.dependencyArtifacts = dependencyArtifacts;