-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically extract list of dependencies from the BOM #9
Comments
Hi @gaeljw. I think that your proposal is reasonable and should be implemented. The team gratefully accepts contributions via pull requests. |
I'll have a look to the code in the coming days/weeks but if you already have some things in mind I should know or places I should look at in priority, please do :) |
I believe the list should be created in method BomReader.assembleBom():https://github.com/heremaps/here-sbt-bom/blob/master/plugin/src/main/scala/com/here/bom/internal/BomReader.scala#L134 And then propagated up to the client code |
See the context of this feature at heremaps#9
See the context of this feature at heremaps#9
See the context of this feature at heremaps#9 Signed-off-by: Gaël Jourdan-Weil <[email protected]>
Here's a PR that solves this, any feedback welcome of course :) #13 |
See the context of this feature at heremaps#9 Signed-off-by: Gaël Jourdan-Weil <[email protected]>
Closing the issue. See #13 for the details |
Context
Unless I missed something, the plugin's current usage requires manually defining all dependencies on which we want to "apply the BOM".
Case A
Given the following setup:
The dependency tree is as follows:
So far, so good.
Case B
But now, let's take the following example of a more real-life project with many transitive dependencies:
The difference with case A is:
+ libraryDependencies += "com.typesafe.play" %% "play" % "2.8.21", libraryDependencies += deps.key.value.dependencies
Now the dependency tree is like this (extract to be easier to read):
As I haven't listed
com.fasterxml.jackson.datatype:jackson-datatype-jdk8
orcom.fasterxml.jackson.datatype:jackson-datatype-jsr310
explicitly in myJacksonDependencies
class, they are not getting the BOM version: they are pulled in version 2.11.4 instead of the desired/expected 2.16.0.This can be fixed by explicitly listing all dependencies but this can be long and not future-proof as you can relatively easily know the deps you're pulling today (to list them and add them explicitly) but you won't notice if someone adds another lib that transitively needs another Jackson lib that you hadn't listed yet.
Proposal
In my opinion, this is also why BOM exist: manage transitive dependencies versions.
I think we could have the sbt plugin parse the BOM and expose the dependencies listed in the BOM as a variable that can then be used in
dependencyOverrides
.For instance, given the Jackson BOM (extract):
We could have following usage in a SBT project:
Where
deps.key.value.bomDependencies
is somehow automatically provided by the plugin and would contain:That would be a closer experience to what we have in Maven.
How
It's unclear to me how this could be implemented, but I'd be happy to help if this sounds interesting to you.
The text was updated successfully, but these errors were encountered: