Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix flatten plugin #706

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Mar 9, 2023

Do not strip any section from the flattened pom.

If a plugin is using dependencyManagement to manage transitive dependencies then the version information will be lost when published.

Whilst there is a mode in the flatten plugin to promote transitive dependencies to direct dependencies this would cause different issues as the depth of dependencies would change when you are using local development and published versions.

this could also have looked at different modes like ciFriendly which just resolves the release version properties and their usage - this would be a bigger change to the published poms than I am prepared to test at this time.

So for now we replicate the oss mode and add in dependencyManagment

fixes #705

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

jtnord added 2 commits March 9, 2023 12:49
dependencyManagement can be used to manage the transitive dependency
versions not only direct ones, and this impacts what can end up in the
resulting hpi file.

By not including the depMgmt section then any downtream consumer will
see the un managed versions of the dependencies which will differ from
what they should see
the OSS mode despite saying it keeps everything "repositories and
pluginRepositories" does not and it throws away the dependencyManagement

this creates our own descriptor that dies the same as the oss mode
currently but additionally keeps the dependencyManagement section

Whilst we could have used resolveCiFriendliesOnly which is probably a
better solution so that the poms behave better regardless of if they are
deployed from CI or local snapshots this keeps the changes to published
poms minimal
@jtnord jtnord requested review from jglick and basil March 9, 2023 12:57
@jtnord jtnord marked this pull request as draft March 9, 2023 12:59
@jglick
Copy link
Member

jglick commented Mar 9, 2023

This smells wrong. We do not want to keep dependencyManagement; we want the published POM to list the actual dependencies, no more nor less. Will discuss details in the issue.

pom.xml Outdated
<flattenMode>oss</flattenMode>
<!-- flattenMode:oss does not keep dependecnyMangement or will promote all transitive dependencies to direct ones, changing resolution order -->
<pomElements>
<dependencyManagement>interpolate</dependencyManagement>
Copy link
Member Author

@jtnord jtnord Mar 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the bit we change. interpolate replaces any properties.

may need to be expand as currently the flatten plugin will strip the parent info so would loose any depMgmt specified in a parent.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So what does the result actually look like in the original example? Does it effectively inline all deps from the imported BOM? We do not wish for a flattened POM to retain any reference to another POM file—it should be entirely self-contained.

Copy link
Member Author

@jtnord jtnord Mar 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

original example

you mean when consumed by the okhttp-api plugin?

with interpolate it keeps the dependencyManagement as is from the plugins's pom but with any properties replaced.

With expand it gets messy! (it is basically the output of the dependencyManagement section of help:effective-pom which is all poms from scope-> import basically inlined. (and everything from the parent)

Whilst I create a PR to demonstrate it will be like the following if we used expand

depMgmt section
  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
      </dependency>
      <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>4.13.2</version>
      </dependency>
      <dependency>
        <groupId>org.hamcrest</groupId>
        <artifactId>hamcrest-core</artifactId>
        <version>2.2</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>test-annotations</artifactId>
        <version>1.4</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>jenkins-core</artifactId>
        <version>2.361.4</version>
        <exclusions>
          <exclusion>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>jenkins-test-harness</artifactId>
        <version>1929.vfb_39b_60fcea_f</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>jenkins-war</artifactId>
        <version>2.361.4</version>
        <type>executable-war</type>
        <scope>test</scope>
        <exclusions>
          <exclusion>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>mockwebserver</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okcurl</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp-brotli</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp-dnsoverhttps</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>logging-interceptor</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp-sse</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp-tls</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okhttp3</groupId>
        <artifactId>okhttp-urlconnection</artifactId>
        <version>4.10.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okio</groupId>
        <artifactId>okio</artifactId>
        <version>3.2.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okio</groupId>
        <artifactId>okio-fakefilesystem</artifactId>
        <version>3.2.0</version>
      </dependency>
      <dependency>
        <groupId>com.squareup.okio</groupId>
        <artifactId>okio-nodefilesystem</artifactId>
        <version>3.2.0</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-stdlib</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-stdlib-jdk7</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-stdlib-jdk8</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-stdlib-js</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-stdlib-common</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-reflect</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-osgi-bundle</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-junit</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-junit5</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-testng</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-js</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-common</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-test-annotations-common</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-main-kts</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-script-runtime</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-script-util</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-scripting-common</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-scripting-jvm</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-scripting-jvm-host</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-scripting-ide-services</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-compiler</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-compiler-embeddable</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>org.jetbrains.kotlin</groupId>
        <artifactId>kotlin-daemon-client</artifactId>
        <version>1.7.22</version>
      </dependency>
      <dependency>
        <groupId>antlr</groupId>
        <artifactId>antlr</artifactId>
        <version>2.7.7</version>
      </dependency>
      <dependency>
        <groupId>args4j</groupId>
        <artifactId>args4j</artifactId>
        <version>2.33</version>
      </dependency>
      <dependency>
        <groupId>com.github.spotbugs</groupId>
        <artifactId>spotbugs-annotations</artifactId>
        <version>4.7.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>31.1-jre</version>
      </dependency>
      <dependency>
        <groupId>com.jcraft</groupId>
        <artifactId>jzlib</artifactId>
        <version>1.1.3-kohsuke-1</version>
      </dependency>
      <dependency>
        <groupId>com.sun.solaris</groupId>
        <artifactId>embedded_su4j</artifactId>
        <version>1.1</version>
      </dependency>
      <dependency>
        <groupId>com.sun.xml.txw2</groupId>
        <artifactId>txw2</artifactId>
        <version>20110809</version>
      </dependency>
      <dependency>
        <groupId>com.thoughtworks.xstream</groupId>
        <artifactId>xstream</artifactId>
        <version>1.4.19</version>
      </dependency>
      <dependency>
        <groupId>commons-beanutils</groupId>
        <artifactId>commons-beanutils</artifactId>
        <version>1.9.4</version>
      </dependency>
      <dependency>
        <groupId>commons-codec</groupId>
        <artifactId>commons-codec</artifactId>
        <version>1.15</version>
      </dependency>
      <dependency>
        <groupId>commons-collections</groupId>
        <artifactId>commons-collections</artifactId>
        <version>3.2.2</version>
      </dependency>
      <dependency>
        <groupId>commons-fileupload</groupId>
        <artifactId>commons-fileupload</artifactId>
        <version>1.4</version>
      </dependency>
      <dependency>
        <groupId>commons-httpclient</groupId>
        <artifactId>commons-httpclient</artifactId>
        <version>3.1-jenkins-3</version>
      </dependency>
      <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.11.0</version>
      </dependency>
      <dependency>
        <groupId>commons-jelly</groupId>
        <artifactId>commons-jelly-tags-fmt</artifactId>
        <version>1.0</version>
      </dependency>
      <dependency>
        <groupId>commons-jelly</groupId>
        <artifactId>commons-jelly-tags-xml</artifactId>
        <version>1.1</version>
      </dependency>
      <dependency>
        <groupId>commons-lang</groupId>
        <artifactId>commons-lang</artifactId>
        <version>2.6</version>
      </dependency>
      <dependency>
        <groupId>io.jenkins.stapler</groupId>
        <artifactId>jenkins-stapler-support</artifactId>
        <version>1.1</version>
      </dependency>
      <dependency>
        <groupId>jakarta.servlet.jsp.jstl</groupId>
        <artifactId>jakarta.servlet.jsp.jstl-api</artifactId>
        <version>1.2.7</version>
      </dependency>
      <dependency>
        <groupId>jaxen</groupId>
        <artifactId>jaxen</artifactId>
        <version>1.2.0</version>
      </dependency>
      <dependency>
        <groupId>net.java.dev.jna</groupId>
        <artifactId>jna</artifactId>
        <version>5.12.1</version>
      </dependency>
      <dependency>
        <groupId>net.java.sezpoz</groupId>
        <artifactId>sezpoz</artifactId>
        <version>1.13</version>
      </dependency>
      <dependency>
        <groupId>net.jcip</groupId>
        <artifactId>jcip-annotations</artifactId>
        <version>1.0</version>
      </dependency>
      <dependency>
        <groupId>net.sf.kxml</groupId>
        <artifactId>kxml2</artifactId>
        <version>2.3.0</version>
      </dependency>
      <dependency>
        <groupId>org.apache.ant</groupId>
        <artifactId>ant</artifactId>
        <version>1.10.12</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-compress</artifactId>
        <version>1.21</version>
      </dependency>
      <dependency>
        <groupId>org.codehaus.groovy</groupId>
        <artifactId>groovy-all</artifactId>
        <version>2.4.21</version>
      </dependency>
      <dependency>
        <groupId>org.connectbot.jbcrypt</groupId>
        <artifactId>jbcrypt</artifactId>
        <version>1.0.0</version>
      </dependency>
      <dependency>
        <groupId>org.fusesource.jansi</groupId>
        <artifactId>jansi</artifactId>
        <version>1.11</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>annotation-indexer</artifactId>
        <version>1.16</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>commons-jexl</artifactId>
        <version>1.1-jenkins-20111212</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>crypto-util</artifactId>
        <version>1.7</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>memory-monitor</artifactId>
        <version>1.11</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>symbol-annotation</artifactId>
        <version>1.23</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>task-reactor</artifactId>
        <version>1.7</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci</groupId>
        <artifactId>version-number</artifactId>
        <version>1.10</version>
      </dependency>
      <dependency>
        <groupId>org.jenkins-ci.main</groupId>
        <artifactId>remoting</artifactId>
        <version>3044.vb_940a_a_e4f72e</version>
      </dependency>
      <dependency>
        <groupId>org.jfree</groupId>
        <artifactId>jfreechart</artifactId>
        <version>1.0.19</version>
      </dependency>
      <dependency>
        <groupId>org.jvnet.hudson</groupId>
        <artifactId>commons-jelly-tags-define</artifactId>
        <version>1.0.1-hudson-20071021</version>
      </dependency>
      <dependency>
        <groupId>org.jvnet.localizer</groupId>
        <artifactId>localizer</artifactId>
        <version>1.31</version>
      </dependency>
      <dependency>
        <groupId>org.jvnet.robust-http-client</groupId>
        <artifactId>robust-http-client</artifactId>
        <version>1.2</version>
      </dependency>
      <dependency>
        <groupId>org.jvnet.winp</groupId>
        <artifactId>winp</artifactId>
        <version>1.28</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke</groupId>
        <artifactId>access-modifier-annotation</artifactId>
        <version>1.27</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke</groupId>
        <artifactId>windows-package-checker</artifactId>
        <version>1.2</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.jinterop</groupId>
        <artifactId>j-interop</artifactId>
        <version>2.0.8-kohsuke-1</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.metainf-services</groupId>
        <artifactId>metainf-services</artifactId>
        <version>1.9</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.stapler</groupId>
        <artifactId>json-lib</artifactId>
        <version>2.4-jenkins-3</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.stapler</groupId>
        <artifactId>stapler</artifactId>
        <version>1711.1713.vc400cfb_5597a_</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.stapler</groupId>
        <artifactId>stapler-adjunct-codemirror</artifactId>
        <version>1.3</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.stapler</groupId>
        <artifactId>stapler-adjunct-timeline</artifactId>
        <version>1.5</version>
      </dependency>
      <dependency>
        <groupId>org.kohsuke.stapler</groupId>
        <artifactId>stapler-groovy</artifactId>
        <version>1711.1713.vc400cfb_5597a_</version>
      </dependency>
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm</artifactId>
        <version>9.3</version>
      </dependency>
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm-analysis</artifactId>
        <version>9.3</version>
      </dependency>
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm-commons</artifactId>
        <version>9.3</version>
      </dependency>
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm-tree</artifactId>
        <version>9.3</version>
      </dependency>
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm-util</artifactId>
        <version>9.3</version>
      </dependency>
      <dependency>
        <groupId>org.samba.jcifs</groupId>
        <artifactId>jcifs</artifactId>
        <version>1.3.18-kohsuke-1</version>
      </dependency>
      <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>jcl-over-slf4j</artifactId>
        <version>1.7.36</version>
      </dependency>
      <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>log4j-over-slf4j</artifactId>
        <version>1.7.36</version>
      </dependency>
      <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>1.7.36</version>
      </dependency>
      <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-jdk14</artifactId>
        <version>1.7.36</version>
      </dependency>
      <dependency>
        <groupId>commons-logging</groupId>
        <artifactId>commons-logging</artifactId>
        <version>1.2</version>
        <scope>provided</scope>
      </dependency>
      <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>servlet-api</artifactId>
        <version>[0]</version>
        <scope>provided</scope>
        <optional>true</optional>
      </dependency>
      <dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
        <version>1.2.17</version>
        <scope>provided</scope>
      </dependency>
      <dependency>
        <groupId>com.google.inject</groupId>
        <artifactId>guice</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject</groupId>
        <artifactId>guice</artifactId>
        <version>5.0.1</version>
        <classifier>classes</classifier>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-assistedinject</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-dagger-adapter</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-grapher</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-jmx</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-jndi</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-persist</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-servlet</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-spring</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-struts2</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-testlib</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>com.google.inject.extensions</groupId>
        <artifactId>guice-throwingproviders</artifactId>
        <version>5.0.1</version>
      </dependency>
      <dependency>
        <groupId>javax.inject</groupId>
        <artifactId>javax.inject</artifactId>
        <version>1</version>
      </dependency>
      <dependency>
        <groupId>javax.inject</groupId>
        <artifactId>javax.inject-tck</artifactId>
        <version>1</version>
      </dependency>
      <dependency>
        <groupId>aopalliance</groupId>
        <artifactId>aopalliance</artifactId>
        <version>1.0</version>
      </dependency>
      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava-testlib</artifactId>
        <version>30.1-jre</version>
      </dependency>
      <dependency>
        <groupId>com.google.truth</groupId>
        <artifactId>truth</artifactId>
        <version>0.45</version>
        <scope>test</scope>
      </dependency>
      <dependency>
        <groupId>com.google.code.findbugs</groupId>
        <artifactId>jsr305</artifactId>
        <version>3.0.1</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aop</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aspects</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context-indexer</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context-support</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-expression</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-instrument</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jcl</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jdbc</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jms</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-messaging</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-oxm</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-r2dbc</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-test</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-tx</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webflux</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-websocket</artifactId>
        <version>5.3.22</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-acl</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-aspects</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-cas</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-crypto</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-data</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-ldap</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-messaging</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-client</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-core</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-resource-server</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-openid</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-remoting</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-rsocket</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-saml2-service-provider</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.7.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-api</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-engine</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-migrationsupport</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-params</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-commons</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-console</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-engine</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-jfr</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-launcher</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-reporting</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-runner</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-suite</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-suite-api</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-suite-commons</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-suite-engine</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.platform</groupId>
        <artifactId>junit-platform-testkit</artifactId>
        <version>1.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.junit.vintage</groupId>
        <artifactId>junit-vintage-engine</artifactId>
        <version>5.9.2</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-core</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-android</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-errorprone</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-inline</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-junit-jupiter</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-proxy</artifactId>
        <version>4.11.0</version>
      </dependency>
      <dependency>
        <groupId>org.mockito</groupId>
        <artifactId>mockito-subclass</artifactId>
        <version>4.11.0</version>
      </dependency>
    </dependencies>
  </dependencyManagement>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yikes, that is a lot, and I guess there is no way to restrict it to the actual transitive deps.

🤷 we can try this, I am just concerned it will result in other weird problems down the line. It is hard to predict the practical effect of changes like this in such a huge ecosystem, which is why I asked whether there were more than one known example, or if we could just work around the issue in this one plugin for now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given we have an extension we could write our own DefaultInheritanceAssembler; that is hpi aware, however I would consider that more risky than just including the dependencyManagement section - which at the end of the day we have been doing for years for plugins released with m-r-p

Copy link
Member Author

@jtnord jtnord Mar 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://repo.jenkins-ci.org/incrementals/io/jenkins/plugins/okhttp-api/4.10.0-126.v8a_8a_2605a_a_e7/ (interpolate)
https://repo.jenkins-ci.org/incrementals/io/jenkins/plugins/okhttp-api/4.10.0-126.v01d52e6d79e4/ (expand)

whilst expand is a lot and a lot of unused dependencies - as they are not transitive dependencies it will not matter if you favour completeness and correctness over simplicity (and incorrectness if the dependencyManagement is in a parent).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

discussed directly with @jglick as the intention of the flatten plugin here is to have a self contained pom - this will switch to expand which will also have the benefit of picking up any <dependencyManagement> configured in the parent(s).

assert pomXml.contains('version>1.0-rc1234.deadbeef5678</version>')
// https://github.com/jenkinsci/plugin-pom/issues/705
// line endings need normalising
assert pomXml.replace("\r\n", "\n").contains('''
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

flatten plugin creates poms with native line ends - yet this file may or may not be using native line ends depending on the local git setup - so normalize them.

jtnord added a commit to jtnord/okhttp-api-plugin that referenced this pull request Mar 9, 2023
jtnord added a commit to jtnord/okhttp-api-plugin that referenced this pull request Mar 9, 2023
jtnord added a commit to jtnord/okhttp-api-plugin that referenced this pull request Mar 9, 2023
@basil basil removed their request for review March 9, 2023 15:09
@jtnord jtnord marked this pull request as ready for review March 9, 2023 17:15
as discussed with @jglick as the intention of the flatten plugin here is to have
a self contained pom - this will switch to expand which will also have the benefit
of picking up any <dependencyManagement> configured in the parent(s).
@jglick
Copy link
Member

jglick commented Mar 10, 2023

Given #705 (comment), should this be returned to draft?

@jtnord jtnord marked this pull request as draft March 10, 2023 12:26
jtnord added a commit to jtnord/okhttp-api-plugin that referenced this pull request Mar 10, 2023
jtnord added a commit to jtnord/github-api-plugin that referenced this pull request Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

published incremental poms have dependencyManagement stripped causing incorrect dependency resolution
2 participants