Closed efge closed 5 years ago
I've seen some warnings related to this but am not sure we're talking about quite the same thing.
Should I be looking for something specific in the log from mvn verify
or at some report under target/site
to find these problems?
It's not a problem per se but a good practice to disallow version ranges (and SNAPSHOT) in order to have reproducible builds. The Maven Enforcer plugin can be configured to disallow SNAPSHOT versions, but I'm not seeing anything related to version ranges.
I can provide a PR to remove the ranges if you want.
@efge Thanks for the offer.
I agree that reproducible builds are important, but I'm leery of breaking downstream clients.
https://github.com/OWASP/java-html-sanitizer/commit/b17604bb11c2c00809163a425d5aa481be8371a1 abstracts out the guava version.
I'd prefer if we can get the same benefit by using parameters with default values to allow ranges and explicit single-version overrides, incorporating build tests, and changing the release checklist to include mandating a particular version.
In order to get reproducible builds, please consider using fixed versions in the POMs. This applies to this part of the parent POM:
(there are also two others for findbugs but they are less critical)