repeatable builds with libraries that have version ranges

[Vasco Figueira]

Hi all,

This is fairly specific question.

A the start of a pipeline (we're using Go) we ground a build, i.e. fixate the versions to make it repeatable. There's one library that we depend on that defines in its POM a version range. In our dependency tree it appears like so:

[INFO] |  +- com.theoryinpractise:halbuilder-json:jar:3.1.1:compile

[INFO] |  |  +- com.theoryinpractise:halbuilder-api:jar:2.2.1:compile (version selected from constraint [2.1.0,3.0.0))

[INFO] |  |  \- com.theoryinpractise:halbuilder-core:jar:3.1.3:compile (version selected from constraint [3.0.0,4.0.0))

https://repo1.maven.org/maven2/com/theoryinpractise/halbuilder-json/3.1.1/halbuilder-json-3.1.1.pom

The resolve-ranges goal of the versions-maven-plugin does allow you to fixate these versions if they're your direct dependencies, but if they're transitive it does not add to your POM an "override" to fixate those.

http://mojo.codehaus.org/versions-maven-plugin/resolve-ranges-mojo.html

Has anyone come up with solution for this other than manually pulling that particular range definition to our POM?

Thank you.

Regards,

Vasco

[Johan Rydström]

Maybe I misunderstand but isn't that a non-issue? The direct dependency you are "fixating" will be on a specific version which is one unique build; that build should also only be able to have one version of a child bound (at one time), no?

Or is your problem that you are USING code from the indirect dependency without declaring it? Maybe you could declare & fixate that transitive dependency directly in your pom.

Regards,

Johan Rydström