[pom] Use provided for maven dependencies #388
Conversation
|
resolves #388 |
| @@ -374,12 +374,14 @@ | |||
| <groupId>org.apache.maven</groupId> | |||
| <artifactId>maven-plugin-api</artifactId> | |||
| <version>${mavenVersion}</version> | |||
There was a problem hiding this comment.
This is dangerous as the prerequisites state compatibility with Maven 3.3.9 and still you reference provided dependencies from 3.8.4. You should reference the version provided by the minimum Maven version which is supported.
There was a problem hiding this comment.
dangerous in what way? Does it not work on maven 3.3.9? No one has reported that?
There was a problem hiding this comment.
You might introduce code dependencies on methods only being introduced with e.g. Maven Core 3.5.4 which will not work with Maven 3.3.9 (which is the minimum Maven version you support). No matter which version you give here at runtime Maven will determine the version of this dependency!
There was a problem hiding this comment.
Just make sure that the compile time dependency (with scope provided) is the same version as being provided by the lowest Maven version at run time.
There was a problem hiding this comment.
I added a github action, 3.3.9 with code base and all integration tests works without issue. See #390
There was a problem hiding this comment.
should also note any version before 3.8.x is vulnerable so old versions really don't matter if security is taken seriously. but that is another matter. Haven't used 3.3.9 in years and wouldn't understand why anyone would.
No description provided.