I can recommend not using version ranges, because they break build reproducibility. If you use a specific version and a tool like Dependabot or Renovate to create pull requests for updates, you’ll have a reproducible build without having to keep an eye out for updates yourself.
Nils. > Op 27 jul. 2022, om 13:44 heeft Jacques Etienne Beaudet <jebeau...@gmail.com> > het volgende geschreven: > > Please see issue > https://issues.apache.org/jira/plugins/servlet/mobile#issue/MNG-4463 and will > be resolved in maven 4 if I'm not mistaken. > On Jul 27, 2022, 7:40 AM -0400, [Quipsy] Markus Karg <k...@quipsy.de>, wrote: >> I think I found a bug in Maven, but I am not sure. Maybe I am doing >> something wrong, so Maven Committers, please judge the following case: >> >> A version range in a dependency like... >> >> <dependency> >> <groupId>org.glassfish.jersey.core</groupId> >> <artifactId>jersey-server</artifactId> >> <version>[2.0.0, 3.0.0)</version> >> </dependency> >> >> mvn dependency:tree >> >> ...results in a correctly resolved output... >> >> ... >> +- org.glassfish.jersey.core:jersey-server:jar:3.0.0-RC2:compile >> ... >> >> But when instead using the same version range IN AN IMPORTED BOM, then... >> >> <dependencyManagement> >> <dependency> >> <groupId>org.glassfish.jersey</groupId> >> <artifactId>jersey-bom</artifactId> >> <version>[2.0.0, 3.0.0)</version> >> <type>pom</type> >> <scope>import</scope> >> </dependency> >> </dependencyManagement> >> >> <dependency> >> <groupId>org.glassfish.jersey.core</groupId> >> <artifactId>jersey-server</artifactId> >> </dependency> >> >> mvn dependency:tree >> >> ...results in this error message as it was not resolved: >> >> downloading from xxx: >> http://xxx:8081/content/groups/public/org/glassfish/jersey/jersey-bom/%5B2.0.0,%203.0.0)/jersey-bom-%5B2.0.0,%203.0.0).pom >> >> Non-resolvable import POM: Could not find artifact >> org.glassfish.jersey:jersey-bom:pom:[2.0.0, 3.0.0) >> >> In fact, calling curl -i >> http://nexus:8081/content/groups/public/org/glassfish/jersey/jersey-bom/%5B2.0.0,%203.0.0)/jersey-bom-%5B2.0.0,%203.0.0).pom >> tells us that such a URL does not exist: HTTP/1.1 400 Invalid repository >> path. >> >> So am I doing or assuming something wrong here (e. g. possibly includes >> deliberately will not resolve version ranges) or is that simply a bug in >> Maven (which I should report in the issue tracker)? >> >> Thanks! >> -Markus --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
