vandmo / dependency-lock-maven-plugin Goto Github PK

View Code? Open in Web Editor NEW

63.0 2.0 9.0 286 KB

Maven plugin that makes sure that Maven dependency are not accidentaly changed.

Home Page: https://github.com/vandmo/dependency-lock-maven-plugin

License: Apache License 2.0

Java 83.47% Shell 0.63% Groovy 14.72% Python 1.18%

maven maven-plugin maven-dependency

dependency-lock-maven-plugin's Introduction

dependency-lock-maven-plugin

Maven only requires you to specify versions of dependencies that you use directly. Transitive dependencies aren't visible in the pom.xml and their version is chosen in a seemingly random way.

This Maven plugin enables you to:

Review exactly which dependencies you have, including transitive ones
Make sure dependencies are not accidentally changed
Verify the integrity of your dependencies to avoid supply chain attacks, see Dependency Confusion
Track changes to dependencies in your SCM
Enable vulnerability scanning in all your dependencies, including transitive ones
Enable Dependabot Security Alerts for transitive dependencies

It is a bit like mvn dependency:list but the output is intended to be tracked by you SCM and the check goal makes sure you don't forget to update the file.

Locking

mvn se.vandmo:dependency-lock-maven-plugin:lock will create a file named dependencies-lock.json by default.

You should then commit that file to your source control of choice.

Choose between JSON format and POM XML format. The latter is more verbose but will be detected by Dependabot Security Alerts.

Validating

The following snippet in your pom.xml file will make sure that the actual dependencies are the same as in the dependencies-lock.json file.

<build>
  <plugins>
    <plugin>
      <groupId>se.vandmo</groupId>
      <artifactId>dependency-lock-maven-plugin</artifactId>
      <version>1.0</version>
      <executions>
        <execution>
          <id>check</id>
          <phase>validate</phase>
          <goals>
            <goal>check</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Tips

Adding the following in ~/.m2/settings.xml will allow you to write mvn dependency-lock:lock

<pluginGroups>
  <pluginGroup>se.vandmo</pluginGroup>
</pluginGroups>

Shared Configuration

Configuration shared between all goals.

filename

The filename of the lock file.

format

Which lock file format to use, defaults to json.

json, lock file in JSON format, default filename is dependency-lock.json
pom, lock file in POM XML format, default filename is .dependeny-lock/pom.xml

Goals

check

Checks that actual dependencies matches the lock file. Fails the build if there is no match. Expects a lock file to exist.

If some dependencies are part of the same multi-module project you might want those dependencies to be the same version as the artifact where the dependencies are locked. You can achieve this by configuring the plugin like such:

<configuration>
  <dependencySets>
    <dependencySet>
      <includes>
        <include>org.myorg:myapplication-*</include>
      </includes>
      <version>use-project-version</version>
    </dependencySet>
  </dependencySets>
</configuration>

The filter syntax is [groupId]:[artifactId]:[type]:[version] where each pattern segment is optional and supports full and partial * wildcards. An empty pattern segment is treated as an implicit wildcard. For example, org.myorg.* will match all artifacts whose group id starts with org.myorg., and :::*-SNAPSHOT will match all snapshot artifacts.

dependencySets

dependencySets are ordered in reverse priority which means that a dependencySet at the end of the list will override any previously set configuration for the matching dependencies. A dependencySet is configured as follows:

Field	Description
includes	Patterns describing dependencies that should be included
excludes	Patterns describing dependencies that should be excluded
allowExtraneous	Whether extraneous dependencies should be allowed or not
allowMissing	Whether missing dependencies should be allowed or not
version	"check", "ignore", "use-project-version" or "snapshot"
integrity	"check" or "ignore"

"snapshot" version matching means that 1.2.3-SNAPSHOT will match something like 1.2.3-20221104.072032-1 and similar.

lock

Creates a lock file from the actual dependencies.

Notes

Dependabot Updates won't work

Dependabot Updates currently creates a single PR for each change. If you use pom format and merge all PRs from Dependabot then that combined build might work, but each single PR will fail. There are feature requests for combined PRs for Dependabot which, if implemented, could make a combined PR work. Another approach to automate the creation of PRs would be to have a GitHub workflow that creates a combined PR based on the Dependabot PRs.

News in version 1.x

Integrity checking is enabled by default
Configuration is more verbose but also more flexible

dependency-lock-maven-plugin's People

Contributors

Stargazers

Watchers

Forkers

rodikal danielhodder chuanghou java-popular-repos truid-app phillip-kruger wuetherich andruhon

dependency-lock-maven-plugin's Issues

Support patterns for ignore, and my version, lists

In my project we have ~130 modules which make up the project, these all have inter-dependencies on each other. Rather than listing all of these modules out it would be good if we could use a pattern to ignore all of the dependencies in the groups that we are happy to have floating.

As far as I can this would 'just' involve changing the StrictPatternIncludesArtifactFilter to a PatternIncludesArtifactFilter in the check Mojo.

Would this be something you'd accept?

Readme improvements on Dependabot needed

Hi Mikael!

Could you please clarify the Dependabot support level. It is mentioned in the readme, that with XML format for package locks Dependabot Security Alerts for transitive dependencies will be enabled, however it is not clear will the Dependabot able to update the lock file itself.

The scenario is:
We have dependabot running and finding jars that need updating;
The problem is it only updates the pom.xml , but we also have a bunch of lock-versions.json files that also need corresponding updates;

Would be nice to have a note in README.md explaining whether it is possible to have locks updated by Dependabot or not.

Than you,
have a good one

Exclusion of a dependency from version and integrity check is not working

I am trying to exclude an internal dependency for the check. I have the following configuration in my pom, however mvn se.vandmo:dependency-lock-maven-plugin:check fails with "wrong integrity and version". The internal dependency is in the lock file. Have I got my configuration wrong?

			<plugin>
				<groupId>se.vandmo</groupId>
				<artifactId>dependency-lock-maven-plugin</artifactId>
				<version>1.0</version>
				<configuration>
					<dependencySets>
					    <dependencySet>
							<excludes>
								<exclude>xxx.yyyy:*</exclude>
							</excludes>
							<version>ignore</version>
							<integrity>ignore</integrity>
						</dependencySet>
					</dependencySets>
				</configuration>
				<executions>
					<execution>
						<id>check</id>
						<phase>validate</phase>
						<goals>
							<goal>check</goal>
						</goals>
					</execution>
				</executions>
			</plugin>

GitHub Releases still indicate that version 0.13 is the latest release

The "Releases" info on the main GitHub page is indicating that the latest release is version 0.13.
However several versions have been released since then, so it would be interesting to update that information.

Release version 1.0

Only have to decide on the configuration.

<dependencySets>
  <dependencySet>
    <includes>
      <include>com.myownthings</include>
    </includes>
    <version>ignore</version>
    <!-- version>use-project-version</version -->
    <!-- version>check (default value)</version-->
    <allowMissing>true</allowMissing>
    <allowSuperfluous>true</allowSuperfluous>
    <ignoreIntegrity>true</ignoreIntegrity>
  </dependencySet>
  <dependencySet>
    <includes>
      <include>com.myownthings</include>
    </includes>
    <ignoreIntegrity>false</ignoreIntegrity>
  </dependencySet>
</dependencySets>

dependency-lock-maven-plugin is part of dependencies, security concern

I don't know how to hash lock dependencies on the maven project I am packaging properly.
mvn org.nixos.mvn2nix:mvn2nix-maven-plugin:mvn2nix produces a file with sha1s and mavenix uses sha1s too.

This project uses sha512 which are not deprecated like sha1s. However, then the lock plugin is part of the dependencies. If it doesn't do what it's supposed to do then we might not notice because it could decide to not check the dependencies (including itself). Is that right or am I misunderstanding this plugin? If I am right then I consider this a major security concern, potentially bypassing all the dependency checking.

Make it possible to indicate versions that should be the same as project from the POM.

This make it possible to avoid editing the lock file for multi-module projects.

Example:

...
  <useMineFors>
    <useMineFor>:::*-SNAPSHOT</useMineFor>
  </useMineFors>
...

Add dependency checksums

I wish

the dependency contains a checksum, eg

  }, {
    "groupId" : "org.slf4j",
    "artifactId" : "slf4j-api",
    "version" : "1.7.25",
    "scope" : "compile",
    "type" : "jar",
    "sha-256": "xxxxx"
  } ]

Maven 4 alpha - Plugin has an exception

I tried building a project with Maven 4 alpha. The plugin fails.
See exception below. The relevant failure is:

Caused by: java.io.UncheckedIOException: java.io.IOException: Is a directory
    at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:38)

The plugin is receiving a File that's a directory.
This may be Maven's fault, however, it's not a bad idea to make the code robust.
A simple check of file.isDirectory() sorts things out.

Execution check of goal se.vandmo:dependency-lock-maven-plugin:1.0.2:check failed: java.io.IOException: Is a directory
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:336)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution check of goal se.vandmo:dependency-lock-maven-plugin:1.0.2:check failed: java.io.IOException: Is a directory
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:150)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: java.io.UncheckedIOException: java.io.IOException: Is a directory
    at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:38)
    at se.vandmo.dependencylock.maven.Artifact.from(Artifact.java:146)
    at se.vandmo.dependencylock.maven.Artifacts.lambda$fromMavenArtifacts$0(Artifacts.java:25)
    at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
    at java.util.Iterator.forEachRemaining(Iterator.java:116)
    at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
    at se.vandmo.dependencylock.maven.Artifacts.fromMavenArtifacts(Artifacts.java:25)
    at se.vandmo.dependencylock.maven.mojos.AbstractDependencyLockMojo.projectDependencies(AbstractDependencyLockMojo.java:31)
    at se.vandmo.dependencylock.maven.mojos.CheckMojo.execute(CheckMojo.java:43)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:144)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: java.io.IOException: Is a directory
    at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
    at sun.nio.ch.FileDispatcherImpl.read(FileDispatcherImpl.java:46)
    at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
    at sun.nio.ch.IOUtil.read(IOUtil.java:197)
    at sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:159)
    at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:65)
    at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:109)
    at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:103)
    at java.nio.file.Files.read(Files.java:3105)
    at java.nio.file.Files.readAllBytes(Files.java:3158)
    at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:36)
    at se.vandmo.dependencylock.maven.Artifact.from(Artifact.java:146)
    at se.vandmo.dependencylock.maven.Artifacts.lambda$fromMavenArtifacts$0(Artifacts.java:25)
    at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
    at java.util.Iterator.forEachRemaining(Iterator.java:116)
    at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
    at se.vandmo.dependencylock.maven.Artifacts.fromMavenArtifacts(Artifacts.java:25)
    at se.vandmo.dependencylock.maven.mojos.AbstractDependencyLockMojo.projectDependencies(AbstractDependencyLockMojo.java:31)
    at se.vandmo.dependencylock.maven.mojos.CheckMojo.execute(CheckMojo.java:43)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:144)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)

How to manage snapshot dependencies?

Hi,
Is there a way to not lock the SNAPHOT dependencies, i.e. keep -SNAPHOT instead of -SNAPHOT-<timestamp>? I know this defeats the whole purpose of the plugin, but how do you cope with the development version of a Java project?
Thanks

Make plugin safe for parallel builds

If you run the plugin (v1.0.1) with a concurrent build you will be warned that the plugin is not marked as thread-safe and you absolutely will get errors from it whether you're running check or lock.

[WARNING] *****************************************************************
[WARNING] * Your build is requesting parallel execution, but this         *
[WARNING] * project contains the following plugin(s) that have goals not  *
[WARNING] * marked as thread-safe to support parallel execution.          *
[WARNING] * While this /may/ work fine, please look for plugin updates    *
[WARNING] * and/or request plugins be made thread-safe.                   *
[WARNING] * If reporting an issue, report it against the plugin in        *
[WARNING] * question, not against Apache Maven.                           *
[WARNING] *****************************************************************
[WARNING] The following plugins are not marked as thread-safe in my-project:
[WARNING]   se.vandmo:dependency-lock-maven-plugin:1.0.1

The request is to upgrade the plugin to be parallel build aware.

Add more control over produced lock file

Since the "use-mine" feature is gone it became harder to avoid noise from subproject in multi-project set ups.

It is currently possible to partially solve this issue with setup like this

                        <dependencySets>
                            <dependencySet>
                                <includes>
                                    <include>com.company:my-test-subproject</include>
                                </includes>
                                <version>ignore</version>
                                <integrity>ignore</integrity>
                            </dependencySet>
                        </dependencySets>

This works fine, but these subprojects will keep popping up as changes in the lock file.

This would be nice to have an option for lock mojo to pick up the config and write something like that into the lock file:

{
    "groupId" : "com.company",
    "artifactId" : "my-test-subproject",
    "version" : "ignore",
    "scope" : "test",
    "type" : "test-jar",
    "optional" : false,
    "integrity" : "ignore",
    "classifier" : "tests"
  },

Using the lockfile as dependencyManagement

Currently the lockfile is just acting as a check, did you consider using it as dependencyManagement from the Maven plugin?

In our case (mvnpm.org), just checking is not enough as the versions synced on the mvnpm repo and central are different leading to different Maven resolutions.

Also locking the bom mean a quicker resolution on CI.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.