Thanks, Wendy.
I don't disagree that it's powerful and convenient, and it definitely
doesn't absolve responsibility.
But that still leaves me unsure as to what the goal of it actually is.
What do you think is the goal of transitive dependencies?
G.
Wendy Smoak wrote:
Maven's transitive dependency mechanism is powerful and convenient...
but it does not absolve you of the responsibility to be aware of what
versions of what libraries you are depending on.
(I don't think you disagree... in your original scenarios, you were
asking how to deal with a security flaw in a transitive dependency and
make sure that you're using the right version.)
Maven provides reports to help you see what dependencies you're
working with, for example:
* http://struts.apache.org/struts-action/struts-core/dependencies.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
