开源软件名称(OpenSource Name):ning/maven-dependency-versions-check-plugin开源软件地址(OpenSource Url):https://github.com/ning/maven-dependency-versions-check-plugin开源编程语言(OpenSource Language):Java 100.0%开源软件介绍(OpenSource Introduction):¶ ↑What is itThe More specifically, it will check that
The plugin can configured to issue warnings or fail the build in that case. ¶ ↑How to get itCurrently, the plugin is not in a public repository yet, so you'll have to build it yourself. First clone the git repository and then simply do mvn install This will install the plugin into your local repository and make it available for use. To make commandline usage a bit easier, you should add the <settings> ... <pluginGroups> <pluginGroup>com.ning.maven.plugins</pluginGroup> </pluginGroups> ... </settings> ¶ ↑How to use itThe plugin as two goals:
¶ ↑The “list” goalThis goal reports a list of all dependencies that are used in the current project: % mvn com.ning.maven.plugins:maven-dependency-versions-check-plugin:list [...] [INFO] [dependency-versions-check:list {execution: default-cli}] [INFO] Transitive dependencies for scope 'compile': [INFO] backport-util-concurrent:backport-util-concurrent: backport-util-concurrent:backport-util-concurrent-3.1 (3.1) [INFO] classworlds:classworlds: classworlds:classworlds-1.1-alpha-2 (1.1-alpha-2) [INFO] com.pyx4j:maven-plugin-log4j: com.pyx4j:maven-plugin-log4j-1.0.1 (*1.0.1*) [INFO] commons-collections:commons-collections: commons-collections:commons-collections-3.2.1 (*3.2.1*) [INFO] commons-lang:commons-lang: commons-lang:commons-lang-2.5 (*2.5*) [INFO] junit:junit: junit:junit-3.8.1 (3.8.1) [INFO] log4j:log4j: log4j:log4j-1.2.16 (1.2.14, *1.2.16*) [INFO] org.apache.maven.wagon:wagon-provider-api: org.apache.maven.wagon:wagon-provider-api-1.0-beta-6 (1.0-beta-6) [INFO] org.apache.maven:maven-artifact: org.apache.maven:maven-artifact-2.2.1 (2.0, 2.2.1) [INFO] org.apache.maven:maven-artifact-manager: org.apache.maven:maven-artifact-manager-2.2.1 (2.2.1) [INFO] org.apache.maven:maven-model: org.apache.maven:maven-model-2.2.1 (2.2.1) [INFO] org.apache.maven:maven-plugin-api: org.apache.maven:maven-plugin-api-2.2.1 (2.0, *2.2.1*) [INFO] org.apache.maven:maven-plugin-registry: org.apache.maven:maven-plugin-registry-2.2.1 (2.2.1) [INFO] org.apache.maven:maven-profile: org.apache.maven:maven-profile-2.2.1 (2.2.1) [INFO] org.apache.maven:maven-project: org.apache.maven:maven-project-2.2.1 (*2.2.1*) [INFO] org.apache.maven:maven-repository-metadata: org.apache.maven:maven-repository-metadata-2.2.1 (2.2.1) [INFO] org.apache.maven:maven-settings: org.apache.maven:maven-settings-2.2.1 (2.2.1) [INFO] org.codehaus.plexus:plexus-container-default: org.codehaus.plexus:plexus-container-default-1.0-alpha-9-stable-1 (1.0-alpha-9-stable-1) [INFO] org.codehaus.plexus:plexus-interpolation: org.codehaus.plexus:plexus-interpolation-1.11 (1.11) [INFO] org.codehaus.plexus:plexus-utils: org.codehaus.plexus:plexus-utils-1.5.15 (1.0.4, 1.5.15) [INFO] org.slf4j:slf4j-api: org.slf4j:slf4j-api-1.6.1 (*1.6.1*) [INFO] org.slf4j:slf4j-log4j12: org.slf4j:slf4j-log4j12-1.6.1 (*1.6.1*) [...] This is the dependency list for the plugin itself. Every line contains of the following elements:
If a dependency is surrounded by “*”, it was declared in the project POM. If a dependency is surrounded by “!”, then it is in conflict. Running the check plugin will flag this as error and might fail the build. ¶ ↑Options for the “list” goalThese options are intended to be given on the command line. They can also be configured in the config section (see below) but are less useful.
¶ ↑The “check” goalThis goal checks all the dependencies, reports only problems and might fail the build if configured. It is intended to be run as part of the normal build cycle. In this case, it should be added like this: <plugin> <groupId>com.ning.maven.plugins</groupId> <artifactId>maven-dependency-versions-check-plugin</artifactId> <executions> <execution> <phase>verify</phase> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin> If the plugin finds a conflict, then it will output something like [INFO] Checking dependency versions [WARNING] Found a problem with the direct dependency log4j:log4j of the current project Expected version is 1.2.13 Resolved version is 1.2.13 Version 1.2.16 was expected by artifact: org.jboss.netty:netty The above sample shows a conflict with a dependency declared in the current POM. In this case, it will print
If the problem is instead between dependencies, then it will omit the expected version. The above will change to ¶ ↑POM configuration sectionNote also that any configuration in a POM overrides the default configuration (e.g. from the parent POM), so you should duplicate that configuration or use the very arcane 'combine.children' trick (see www.sonatype.com/people/2007/06/how-to-merge-sub-items-from-parent-pom-to-child-pom-in-a-maven-plugin-configuration-2/ for details…). ¶ ↑exceptionsIn rare cases you need to configure the plugin to make exceptions, i.e. allow specific version conflicts. For instance, in the above example you might insist that <plugin> <groupId>com.ning.maven.plugins</groupId> <artifactId>maven-dependency-versions-check-plugin</artifactId> <configuration> <exceptions> <exception> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <expectedVersion>1.2.13</expectedVersion> <resolvedVersion>1.2.16</resolvedVersion> </exception> </exceptions> </configuration> </plugin> An exception is only for a specific version conflict, in this case 1.2.13 instead of 1.2.16. If the plugin finds that a different version of An exception must have all four elements (groupId, artifactId, expectedVersion and resolvedVersion) present. ¶ ↑warnIfMajorVersionIsHigherBoolean flag that enables warnings if a dependency that was excluded from version resolution depends on an incompatible version (for historical reasons it is called 'warnIfMajorVersionIsHigher'). Default value is “false” (do not warn). <configuration> <warnIfMajorVersionIsHigher>true</warnIfMajorVersionIsHigher> </configuration> ¶ ↑failBuildInCaseOfConflict (check only)Boolean flag that will turn warnings about dependency problems into error messages and fail the build accordingly. Default value is “false” (only report warnings). <configuration> <failBuildInCaseOfConflict>true</failBuildInCaseOfConflict> </configuration> ¶ ↑resolversDefines a version strategy resolver. Version strategy resolvers are used to determine which strategy to apply to decide whether two versions are compatible with each other. <configuration> <resolvers> <resolver> <id>apache-dependencies</id> <strategyName>apr</strategyName> <includes> <include>commons-configuration:commons-configuration</include> <include>org.apache.commons:*</include> <include>org.apache.maven.plugins.*</include> <include>org.apache*</include> </includes> </resolver> </resolvers> </configuration> A resolver contains a strategy name (<strategyName>) and a list of one or more includes to list the patterns of artifacts for which this resolvers should be used. Patterns can contain wildcards (*) for both group and artifactName. See below for more details on strategy resolvers. ¶ ↑defaultStrategySelects the default strategy to fall back on when no match is found in the resolvers configuration. Defaults to “default”. See below for more details on strategies. ¶ ↑Version resolving strategiesWhile maven uses a “highest version wins” approach to resolving dependencies (see below for more details), this is not always the best way to go. Often, version numbers also carry semantic meaning (e.g. Apache APR versioning assigns indicators for forward- and backward-compatibility on each of the elements in a three-digit version number). This plugin provides an indicator whether a set of dependencies resolved by maven actually “fits” and may fail at build time, thus avoiding failing at run time. To do so, it employs version resolving strategies. In the most simple use case, it uses the default strategy exclusively. But by using the <resolvers> section, it is possible to tweak this and to allow custom strategies to be used. ¶ ↑Strategies included with the plugin¶ ↑default - the default strategyThis strategy is modelled after the actual maven version resolution. It assumes that all smaller versions are compatible when replaced with larger numbers and compares version elements from left to right. E.g. 3.2.1 > 3.2 and 2.1.1 > 1.0. It usually works pretty ok and is the fallback for version resolution (unless changed with the <defaultStrategy> setting in the configuration section. ¶ ↑apr - Apache APR versioningThree digit versioning, assumes that for two versions to be compatible, the first digit must be identical, the middle digit indicates backwards compatibility (i.e. 1.2.x can replace 1.1.x but 1.4.x can not replace 1.5.x) and the third digit signifies the patch level (only bug fixes, full API compatibility). ¶ ↑two-digits-backward-compatible - Relaxed APR versioningSimilar to APR, but assumes that there is no “major” version digit (e.g. it is part of the artifact Id). All versions are backwards compatible. First digit must be the same or higher to be compatible (i.e. 2.0 can replace 1.2). ¶ ↑single-digit - Single version numberThe version consists of a single number. Larger versions can replace smaller versions. The version number may contain additional letters or prefixes (i.e. r08 can replace r07). ¶ ↑Writing your own strategies (advanced usage)A custom strategy must implement the com.ning.maven.plugins.dependencyversionscheck.strategy.Strategy interface and must declare itself as a plexus component. A jar containing a custom strategy can then used as a custom dependency of the plugin: /** * @plexus.component role="com.ning.maven.plugins.dependencyversionscheck.strategy.Strategy" role-hint="bad" */ public class BadStrategy implements Strategy { public String getName() { return "bad"; } public boolean isCompatible(Version a, Version b) { return false; }; } <plugin> <groupId>com.ning.maven.plugins</groupId> <artifactId>maven-dependency-versions-check-plugin</artifactId> <dependencies> <dependency> <groupId>badExample</groupId> <artifactId>badStrategy</artifactId> <version>1.0</version> </dependency> </dependencies> ..... </plugin> See the source code to the plugin and the existing strategies for examples on how to write strategies. ¶ ↑How to resolve conflictsSome more detailed explanation is below in the background section. In general, you should try to upgrade dependency versions if you can make sure that they work (e.g. via unit or other tests). If you cannot do that, then either add exclusions or add an explicit dependency in the current POM. If even this fails, then add an exception configuration, but please use this only as a last resort. In this case you should add comments to the exceptions, exclusions or explicit dependencies that state why you added them (e.g. noting the version conflict). ¶ ↑Background: Maven 2's arbitrary version resolution strategyConsider four projects, A through D. A depends on B and C which both depend on D, but on different versions. E.g. B's and C's POM look like this: <project> <groupId>...</groupId> <artifactId>B</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> <version>1.0</version> </dependency> </dependencies> </project> <project> <groupId>...</groupId> <artifactId>C</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> <version>1.1</version> </dependency> </dependencies> </project> If A's POM looks like this: <project> <groupId>...</groupId> <artifactId>A</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>B</artifactId> <version>...</version> </dependency> <dependency> <groupId>...</groupId> <artifactId>C</artifactId> <version>...</version> </dependency> </dependencies> </project> Maven will resolve D's version to 1.0 because it will use the first version it encounters. This is obviously a problem since C needs at least version 1.1. If we change A's POM to <project> <groupId>...</groupId> <artifactId>A</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>C</artifactId> <version>...</version> </dependency> <dependency> <groupId>...</groupId> <artifactId>B</artifactId> <version>...</version> </dependency> </dependencies> </project> then we'll get version 1.1. However this is not a solution - imagine if B updates to version 1.2 of D … The common strategies to handle this are: ¶ ↑Specify an explicit dependency in A<project> <groupId>...</groupId> <artifactId>A</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>B</artifactId> <version>...</version> </dependency> <dependency> <groupId>...</groupId> <artifactId>C</artifactId> <version>...</version> </dependency> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> <version>1.1</version> </dependency> </dependencies> </project> In this case, Maven uses the version that is specified in A's POM and ignores both B and C. Still won't help in the case that B or C update to a newer version, though. ¶ ↑Use dependency management in the parent POMIf B, and C use a common parent POM, then the version of D can be specified in that parent POM: <project> <groupId>...</groupId> <artifactId>ParentOfBAndC</artifactId> ... <dependencyManagement> <dependencies> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> <version>1.1</version> </dependency> </dependencies> </dependencyManagement> </project> This does not declare a dependency of ParentOfBAndC to D, but instead defines the version for all POMs that have this POM as a parent (unless a version is stated in that POM). B and C then can be changed to this: <project> <parent> <groupId>...</groupId> <artifactId>ParentOfBAndC</artifactId> </parent> <groupId>...</groupId> <artifactId>B</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> </dependency> </dependencies> </project> <project> <parent> <groupId>...</groupId> <artifactId>ParentOfBAndC</artifactId> </parent> <groupId>...</groupId> <artifactId>C</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>D</artifactId> </dependency> </dependencies> </project> This way, B and C will get the same version. However if the version of D changes, both B and C will have to be released and A has to be updated to use both new versions, or we have the same problem again. ¶ ↑Use exclusionsIn some cases, we specifically don't want a transitive dependency. For instance, if in the above scenario we want to avoid version 1.1 in A, we could add an exclusion: <project> <groupId>...</groupId> <artifactId>A</artifactId> ... <dependencies> <dependency> <groupId>...</groupId> <artifactId>B</artifactId> <version>...</version> </dependency> <dependency> <groupId>...</groupId> <artifactId>C</artifactId> <version>...</version> <exclusions> <exclusion> <groupId>...</groupId> <artifactId>D</artifactId> </exclusion> </exclusions> </dependency> </dependencies> </project> This will have the effect of excluding the version of D that C brings to the party, so in our example it has the same effect as adding an explicit dependency to A. There are additional, subtle interactions when enforced versions come into play (e.g. |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论