I suspect you could use dependency plugin and copy dependencies goal to pin them for now and store the produced archive somewhere for now.
On Thu, Apr 14, 2022, 17:24 Creager, Greg <greg.crea...@hp.com.invalid> wrote: > Thanks for all the quick responses, greatly appreciate it. I’ll have to > work with our architects and see if I can steer them away from this, build > reproducibility is highest priority. > > Thanks again > > From: Mark Derricutt <m...@talios.com> > Sent: Wednesday, April 13, 2022 4:49 PM > To: Maven Users List <users@maven.apache.org> > Subject: Re: Determine Maven Dependencies after a build > > I don’t believe there currently is a way for this is native maven. > > We ended up writing a custom tool/mojo for resolution management using a > DSL like: > > repository https://repo1.maven.org/maven2/<https://repo1.maven.org/maven2> > as central; > > resolve highest org.antlr:antlr4-maven-plugin:[4.10,5.0.0) via central; > > locked org.antlr:antlr4-maven-plugin:4.10; > > > Which tracks the repositories to check, a range to resolve, and what was > resolved/locked ( also tracking deprecated/blacklisted dependencies ). > > These pom.deps files get attached as artifacts and can be subsequently > imported in downstream repos: > > repository https://nexus.az1.smxk8s.net/repository/maven-public-group;< > https://nexus.az1.smxk8s.net/repository/maven-public-group;> > > import groupId:artifact.bill-of-materials:3.3.150; > > locked org.antlr:antlr4-maven-plugin:4.10; > > > From here, the actual pom.xml files are rewritten with > <version>[4.10]</version> references - locking the build to a specific, > locked range version ( for extra banality we also automatically add > <exclusions> on * to prevent transitive dependencies. > > This definitely has problems, but also have benefits and certainly made hot > fixes much easier to handle when we had different deployments staggered > into production between customer sites. > > -- > "Great artists are extremely selfish and arrogant things" — Steven Wilson, > Porcupine Tree > > > On 14/04/2022 at 6:25:47 AM, "Creager, Greg" <greg.crea...@hp.com.invalid > <mailto:greg.crea...@hp.com.invalid>> > wrote: > > > I am trying to reproduce a build that was done a week ago. Our maven pom > > files use range in many places ([1.0,1.1), when I go look at the pom of > the > > published project, it just shows the range, not the actual version > chosen: > > > > Published pom: > > <dependency> > > <groupId>com.hp.cp.dfe.shared</groupId> > > <artifactId>common-types</artifactId> > > <version>[1.0,1.1)</version> > > </dependency> > > > > > > How do I determine exact versions of dependencies used in a prior build? > > In Apache ivy the published ivy.xml shows the exact version chosen, I was > > expecting maven to have the same and I am assuming I just am not using > the > > right util. > > >
