New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pom] Use provided for maven dependencies #388
Conversation
resolves #388 |
@@ -374,12 +374,14 @@ | |||
<groupId>org.apache.maven</groupId> | |||
<artifactId>maven-plugin-api</artifactId> | |||
<version>${mavenVersion}</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is dangerous as the prerequisites state compatibility with Maven 3.3.9 and still you reference provided dependencies from 3.8.4. You should reference the version provided by the minimum Maven version which is supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dangerous in what way? Does it not work on maven 3.3.9? No one has reported that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might introduce code dependencies on methods only being introduced with e.g. Maven Core 3.5.4 which will not work with Maven 3.3.9 (which is the minimum Maven version you support). No matter which version you give here at runtime Maven will determine the version of this dependency!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just make sure that the compile time dependency (with scope provided) is the same version as being provided by the lowest Maven version at run time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a github action, 3.3.9 with code base and all integration tests works without issue. See #390
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should also note any version before 3.8.x is vulnerable so old versions really don't matter if security is taken seriously. but that is another matter. Haven't used 3.3.9 in years and wouldn't understand why anyone would.
No description provided.