Maven plugin that makes sure that Maven dependency are not accidentaly changed.
Home Page: https://github.com/vandmo/dependency-lock-maven-plugin
License: Apache License 2.0
}, {
"groupId" : "org.slf4j",
"artifactId" : "slf4j-api",
"version" : "1.7.25",
"scope" : "compile",
"type" : "jar",
"sha-256": "xxxxx"
} ]
Only have to decide on the configuration.
<dependencySets>
<dependencySet>
<includes>
<include>com.myownthings</include>
</includes>
<version>ignore</version>
<!-- version>use-project-version</version -->
<!-- version>check (default value)</version-->
<allowMissing>true</allowMissing>
<allowSuperfluous>true</allowSuperfluous>
<ignoreIntegrity>true</ignoreIntegrity>
</dependencySet>
<dependencySet>
<includes>
<include>com.myownthings</include>
</includes>
<ignoreIntegrity>false</ignoreIntegrity>
</dependencySet>
</dependencySets>This make it possible to avoid editing the lock file for multi-module projects.
Example:
...
<useMineFors>
<useMineFor>:::*-SNAPSHOT</useMineFor>
</useMineFors>
...I am trying to exclude an internal dependency for the check. I have the following configuration in my pom, however mvn se.vandmo:dependency-lock-maven-plugin:check fails with "wrong integrity and version". The internal dependency is in the lock file. Have I got my configuration wrong?
<plugin>
<groupId>se.vandmo</groupId>
<artifactId>dependency-lock-maven-plugin</artifactId>
<version>1.0</version>
<configuration>
<dependencySets>
<dependencySet>
<excludes>
<exclude>xxx.yyyy:*</exclude>
</excludes>
<version>ignore</version>
<integrity>ignore</integrity>
</dependencySet>
</dependencySets>
</configuration>
<executions>
<execution>
<id>check</id>
<phase>validate</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Since the "use-mine" feature is gone it became harder to avoid noise from subproject in multi-project set ups.
It is currently possible to partially solve this issue with setup like this
<dependencySets>
<dependencySet>
<includes>
<include>com.company:my-test-subproject</include>
</includes>
<version>ignore</version>
<integrity>ignore</integrity>
</dependencySet>
</dependencySets>
This works fine, but these subprojects will keep popping up as changes in the lock file.
This would be nice to have an option for lock mojo to pick up the config and write something like that into the lock file:
{
"groupId" : "com.company",
"artifactId" : "my-test-subproject",
"version" : "ignore",
"scope" : "test",
"type" : "test-jar",
"optional" : false,
"integrity" : "ignore",
"classifier" : "tests"
},
Currently the lockfile is just acting as a check, did you consider using it as dependencyManagement from the Maven plugin?
In our case (mvnpm.org), just checking is not enough as the versions synced on the mvnpm repo and central are different leading to different Maven resolutions.
Also locking the bom mean a quicker resolution on CI.
Hi Mikael!
Could you please clarify the Dependabot support level. It is mentioned in the readme, that with XML format for package locks Dependabot Security Alerts for transitive dependencies will be enabled, however it is not clear will the Dependabot able to update the lock file itself.
The scenario is:
We have dependabot running and finding jars that need updating;
The problem is it only updates the pom.xml , but we also have a bunch of lock-versions.json files that also need corresponding updates;
Would be nice to have a note in README.md explaining whether it is possible to have locks updated by Dependabot or not.
Than you,
have a good one
If you run the plugin (v1.0.1) with a concurrent build you will be warned that the plugin is not marked as thread-safe and you absolutely will get errors from it whether you're running check or lock.
[WARNING] *****************************************************************
[WARNING] * Your build is requesting parallel execution, but this *
[WARNING] * project contains the following plugin(s) that have goals not *
[WARNING] * marked as thread-safe to support parallel execution. *
[WARNING] * While this /may/ work fine, please look for plugin updates *
[WARNING] * and/or request plugins be made thread-safe. *
[WARNING] * If reporting an issue, report it against the plugin in *
[WARNING] * question, not against Apache Maven. *
[WARNING] *****************************************************************
[WARNING] The following plugins are not marked as thread-safe in my-project:
[WARNING] se.vandmo:dependency-lock-maven-plugin:1.0.1
The request is to upgrade the plugin to be parallel build aware.
Hi,
Is there a way to not lock the SNAPHOT dependencies, i.e. keep -SNAPHOT instead of -SNAPHOT-<timestamp>? I know this defeats the whole purpose of the plugin, but how do you cope with the development version of a Java project?
Thanks
In my project we have ~130 modules which make up the project, these all have inter-dependencies on each other. Rather than listing all of these modules out it would be good if we could use a pattern to ignore all of the dependencies in the groups that we are happy to have floating.
As far as I can this would 'just' involve changing the StrictPatternIncludesArtifactFilter to a PatternIncludesArtifactFilter in the check Mojo.
Would this be something you'd accept?
I don't know how to hash lock dependencies on the maven project I am packaging properly.
mvn org.nixos.mvn2nix:mvn2nix-maven-plugin:mvn2nix produces a file with sha1s and mavenix uses sha1s too.
This project uses sha512 which are not deprecated like sha1s. However, then the lock plugin is part of the dependencies. If it doesn't do what it's supposed to do then we might not notice because it could decide to not check the dependencies (including itself). Is that right or am I misunderstanding this plugin? If I am right then I consider this a major security concern, potentially bypassing all the dependency checking.
I tried building a project with Maven 4 alpha. The plugin fails.
See exception below. The relevant failure is:
Caused by: java.io.UncheckedIOException: java.io.IOException: Is a directory
at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:38)
The plugin is receiving a File that's a directory.
This may be Maven's fault, however, it's not a bad idea to make the code robust.
A simple check of file.isDirectory() sorts things out.
Execution check of goal se.vandmo:dependency-lock-maven-plugin:1.0.2:check failed: java.io.IOException: Is a directory
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:336)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution check of goal se.vandmo:dependency-lock-maven-plugin:1.0.2:check failed: java.io.IOException: Is a directory
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:150)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: java.io.UncheckedIOException: java.io.IOException: Is a directory
at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:38)
at se.vandmo.dependencylock.maven.Artifact.from(Artifact.java:146)
at se.vandmo.dependencylock.maven.Artifacts.lambda$fromMavenArtifacts$0(Artifacts.java:25)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
at se.vandmo.dependencylock.maven.Artifacts.fromMavenArtifacts(Artifacts.java:25)
at se.vandmo.dependencylock.maven.mojos.AbstractDependencyLockMojo.projectDependencies(AbstractDependencyLockMojo.java:31)
at se.vandmo.dependencylock.maven.mojos.CheckMojo.execute(CheckMojo.java:43)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:144)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
Caused by: java.io.IOException: Is a directory
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.FileDispatcherImpl.read(FileDispatcherImpl.java:46)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:197)
at sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:159)
at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:65)
at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:109)
at sun.nio.ch.ChannelInputStream.read(ChannelInputStream.java:103)
at java.nio.file.Files.read(Files.java:3105)
at java.nio.file.Files.readAllBytes(Files.java:3158)
at se.vandmo.dependencylock.maven.Checksum.calculateFor(Checksum.java:36)
at se.vandmo.dependencylock.maven.Artifact.from(Artifact.java:146)
at se.vandmo.dependencylock.maven.Artifacts.lambda$fromMavenArtifacts$0(Artifacts.java:25)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566)
at se.vandmo.dependencylock.maven.Artifacts.fromMavenArtifacts(Artifacts.java:25)
at se.vandmo.dependencylock.maven.mojos.AbstractDependencyLockMojo.projectDependencies(AbstractDependencyLockMojo.java:31)
at se.vandmo.dependencylock.maven.mojos.CheckMojo.execute(CheckMojo.java:43)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:144)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:330)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:318)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:214)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:175)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:74)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:163)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:160)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:107)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:60)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:126)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:223)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:148)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:958)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:205)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)
The "Releases" info on the main GitHub page is indicating that the latest release is version 0.13.
However several versions have been released since then, so it would be interesting to update that information.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.