Skip to content

[MENFORCER-517] requireReleaseDeps ignores optioanal dependencies #855

New issue
New issue
Open
Open
[MENFORCER-517] requireReleaseDeps ignores optioanal dependencies#855
Labels
bugSomething isn't workingpriority:majorMajor loss of function
@jira-importer

Description

@jira-importer
jira-importer
opened on Jan 10, 2025

James Nord opened MENFORCER-517 and commented

A project configured with an optional dependency with a snapshot version and enforcer with requireReleaseDeps set to fail should fail the build, however the rule does not look at optional dependencies.

Whilst this makes not difference to consumers, it means that  requireReleaseDeps can not be used to help enforce the reproducibility of release builds.

Steps to Reproduce

create a maven pom with the following: 

<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>  <groupId>maven.test</groupId>
  <artifactId>enforcer-bug</artifactId>
  <packaging>jar</packaging>
  <version>1-SNAPSHOT</version>  <build>
    <pluginManagement>
      <plugins>
        <plugin>
          <artifactId>maven-enforcer-plugin</artifactId>
          <version>3.5.0</version>
        </plugin>
      </plugins>
    </pluginManagement>    <plugins>
      <plugin>
        <artifactId>maven-enforcer-plugin</artifactId>
        <executions>
          <execution>
            <id>enforce-no-snapshots</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <requireReleaseDeps>
                  <message>No Snapshots Allowed For Release Versions</message>
                  <onlyWhenRelease>false</onlyWhenRelease>
                </requireReleaseDeps>
              </rules>
              <fail>true</fail>
              <skip>false</skip>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.1-SNAPSHOT</version>
      <type>jar</type>
      <scope>test</scope>
      <optional>true</optional>
    </dependency>
  </dependencies></project>

run mvn validate

Expected results

The build fails with

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (enforce-no-snapshots) on project enforcer-bug:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.RequireReleaseDeps failed with message:
[ERROR] No Snapshots Allowed For Release Versions
[ERROR] maven.test:enforcer-bug:jar:1-SNAPSHOT
[ERROR]    junit:junit:jar:4.1-SNAPSHOT <--- is not a release dependency

Actual results

the build passes

[INFO] Rule 0: org.apache.maven.enforcer.rules.dependency.RequireReleaseDeps passed

Note if you remove the <optional>true</optional> from the dependency you will see that the enforcer rule passes

Affects: 3.5.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpriority:majorMajor loss of function

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions