-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using the lockfile as dependencyManagement #72
Comments
In principle I think it would be good if dependency-lock-maven-plugin in could have the lock file as the input to dependency resolution instead of just doing a check. I have experimented with using the lock file instead of dependencyManagement. Another thing I have noticed is that Maven likes to downgrade versions of transitive dependencies due to seemingly arbitrary and unrelated changes. So I would need to add guava etc to dependencyManagement as well to stop it from being downgraded. I don't mind making it possible to be able to use the lock file for dependency management in dependency-lock-maven-plugin but for it to be really useful then the creating of the creating of the lock file would probably need some more input than the dependencies section. |
Hello @vandmo thanks for your answer! I've played with generated BOM used as depMngt for a few days and it's really tricky to have something consistant. I ended up using part of you code for our own limited purpose (I've kept you as developer in the pom.xml since it's strongly inspired copied from your sources), it scopes to The main problem I met is when there are other boms in a project, the exclusions get overridden by the locker bom which is not ok. In the mnvpm case we shouldn't have this problem but I created an issue mvnpm/locker#1. Thanks a lot for your plugin and let me know if at some point there are some concept that would benefit from being ported back to you plugin :) |
Currently the lockfile is just acting as a check, did you consider using it as dependencyManagement from the Maven plugin?
In our case (mvnpm.org), just checking is not enough as the versions synced on the mvnpm repo and central are different leading to different Maven resolutions.
Also locking the bom mean a quicker resolution on CI.
The text was updated successfully, but these errors were encountered: