[MENFORCER-520] Problem with <requireUpperBoundDeps> #651
Description
Pascal Knüppel opened MENFORCER-520 and commented
From yesterday to today we are suddenly getting the following error:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.RequireUpperBoundDeps failed with message:
[ERROR] Failed while enforcing RequireUpperBoundDeps. The error(s) are [
[ERROR] Require upper bound dependencies error for org.bouncycastle:bcprov-jdk18on:1.80 paths to dependency are:
[ERROR] +-de.governikus.autent.crucis:oidc-auth-service:3.2.1-SNAPSHOT
[ERROR] +-de.governikus.autent.utils:autent-key-utils:5.2.0
[ERROR] +-org.bouncycastle:bcprov-jdk18on:1.80 (managed) <-- org.bouncycastle:bcprov-jdk18on:1.78.1
[ERROR] and
[ERROR] +-de.governikus.autent.crucis:oidc-auth-service:3.2.1-SNAPSHOT
[ERROR] +-de.governikus.autent.utils:autent-key-utils:5.2.0
[ERROR] +-org.bouncycastle:bcpkix-jdk18on:1.80 (managed) <-- org.bouncycastle:bcpkix-jdk18on:1.78.1
[ERROR] +-org.bouncycastle:bcutil-jdk18on:1.80.0.redhat-00001
[ERROR] +-org.bouncycastle:bcprov-jdk18on:1.80 (managed) <-- org.bouncycastle:bcprov-jdk18on:1.80.0.redhat-00001
[ERROR] ]redhat just released a new version of jdk18on and bouncycastle defines a version range toi use always the newer version.
We do not want to use the explicit redhat-version. Is it really the right way to treat such versions like 1.80.0.redhat-00001 as newer than the version 1.80.0?
I consider this behaviour rather problematic.
It would be great if we can add exclusion filters for specific version-patterns like .*redhat.* for example
Affects: 3.5.0