Great link, thanks you so much From: Shipp, Scott <ssh...@ebay.com.INVALID> Sent: Tuesday, April 19, 2022 8:55 AM To: Maven Users List <users@maven.apache.org> Subject: Re: Determine Maven Dependencies after a build
I also wanted to add that there is a reproducible builds guide at https://maven.apache.org/guides/mini/guide-reproducible-builds.html<https://maven.apache.org/guides/mini/guide-reproducible-builds.html> which also links to a wiki about the topic. There is a lot you can do to insure reproducible builds with Maven. From: Creager, Greg <greg.crea...@hp.com.INVALID<mailto:greg.crea...@hp.com.INVALID>> Date: Friday, April 15, 2022 at 8:10 AM To: Maven Users List <users@maven.apache.org<mailto:users@maven.apache.org>> Subject: RE: Determine Maven Dependencies after a build External Email Is there a drawback to simply running resolve-ranges before official builds to ensure the pom has static versions? That seems like it would resolve having published poms with version ranges in production. mvn versions:resolve-ranges -DprocessParent=true From: Mark Derricutt <m...@talios.com<mailto:m...@talios.com>> Sent: Wednesday, April 13, 2022 4:49 PM To: Maven Users List <users@maven.apache.org<mailto:users@maven.apache.org>> Subject: Re: Determine Maven Dependencies after a build I don't believe there currently is a way for this is native maven. We ended up writing a custom tool/mojo for resolution management using a DSL like: repository https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3XJIvZ9N5riGnqc0FZnFDU15c7gGODNp2AunJMNjx8g%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3XJIvZ9N5riGnqc0FZnFDU15c7gGODNp2AunJMNjx8g%3D&reserved=0><https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ovkq%2BPgEPdZAULpXGSrFylbHql%2BmgCMydB8xidPMNn0%3D&reserved=0<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ovkq%2BPgEPdZAULpXGSrFylbHql%2BmgCMydB8xidPMNn0%3D&reserved=0>><https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3XJIvZ9N5riGnqc0FZnFDU15c7gGODNp2AunJMNjx8g%3D&reserved=0%3chttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ovkq%2BPgEPdZAULpXGSrFylbHql%2BmgCMydB8xidPMNn0%3D&reserved=0%3e<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2%2F&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3XJIvZ9N5riGnqc0FZnFDU15c7gGODNp2AunJMNjx8g%3D&reserved=0%3chttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepo1.maven.org%2Fmaven2&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ovkq%2BPgEPdZAULpXGSrFylbHql%2BmgCMydB8xidPMNn0%3D&reserved=0%3e>> as central; resolve highest org.antlr:antlr4-maven-plugin:[4.10,5.0.0) via central; locked org.antlr:antlr4-maven-plugin:4.10; Which tracks the repositories to check, a range to resolve, and what was resolved/locked ( also tracking deprecated/blacklisted dependencies ). These pom.deps files get attached as artifacts and can be subsequently imported in downstream repos: repository https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;><https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;>><https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;%3chttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;%3e<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;%3chttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnexus.az1.smxk8s.net%2Frepository%2Fmaven-public-group&data=04%7C01%7Csshipp%40ebay.com%7Cec7d60c7f926425c3e7508da1ef20dcb%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637856322352812697%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=GjTzWusSf4c8lJ74qMtCL4VQ2KzamM56t5AwfsbBLSg%3D&reserved=0;%3e>> import groupId:artifact.bill-of-materials:3.3.150; locked org.antlr:antlr4-maven-plugin:4.10; >From here, the actual pom.xml files are rewritten with <version>[4.10]</version> references - locking the build to a specific, locked range version ( for extra banality we also automatically add <exclusions> on * to prevent transitive dependencies. This definitely has problems, but also have benefits and certainly made hot fixes much easier to handle when we had different deployments staggered into production between customer sites. -- "Great artists are extremely selfish and arrogant things" - Steven Wilson, Porcupine Tree On 14/04/2022 at 6:25:47 AM, "Creager, Greg" <greg.crea...@hp.com.invalid<mailto:greg.crea...@hp.com.invalid<mailto:greg.crea...@hp.com.invalid%3cmailto:greg.crea...@hp.com.invalid>>> wrote: > I am trying to reproduce a build that was done a week ago. Our maven pom > files use range in many places ([1.0,1.1), when I go look at the pom of the > published project, it just shows the range, not the actual version chosen: > > Published pom: > <dependency> > <groupId>com.hp.cp.dfe.shared</groupId> > <artifactId>common-types</artifactId> > <version>[1.0,1.1)</version> > </dependency> > > > How do I determine exact versions of dependencies used in a prior build? > In Apache ivy the published ivy.xml shows the exact version chosen, I was > expecting maven to have the same and I am assuming I just am not using the > right util. >
