monperrus
commented
5 months ago https://github.com/chains-project/maven-lockfile should work well here, we can help with integration.
Open pombredanne opened 5 months ago
monperrus
commented
5 months ago https://github.com/chains-project/maven-lockfile should work well here, we can help with integration.
pombredanne
commented
2 months ago @monperrus Thanks. This would be great.
LogFlames
commented
1 month ago @pombredanne I'm starting to work on this implementation and wanted to ask about how you prefer to handle modules?
maven-lockfile behaves the same as mvn dependency:tree in regards to processing all pom.xml in the codebase (that are linked as modules) and generates one lockfile per pom file. Since the check if a lockfile already exists (and enforces the --force flag) is done in the Go code, I wonder how you prefer this be solved?
My suggestions are:
lockfile.json in the root of the project. This might accidentally overwrite lockfiles in modules without warning and without requiring the --force flag.lockfiles.json in all folders of the project. This might accidentally require the --force flag even though nothing would get overwritten.pom.xml in Go and check all module folders. This would make the footprint of the Go code much larger.What do you think? Of course open to other suggestions/solutions!
LogFlames
commented
1 month ago Using the KISS principle I created a PR for option 1 to get it rolling. Happy to implement other option if preferred!
LogFlames
commented
1 month ago @pombredanne have you had time to look at this? wdyt of the options above?
mvn dependency:treecommand would typically process all pom.xml in the codebase at once, and would generate one tree for each each pom.xmlmvn dependency:tree -DoutputFile=maven-dependency-tree.lock -DoutputType=graphmland optionally with-Dmaven.test.skip=trueand-DskipTeststo skip tests, or various other options (such as scope) to filter the tree. See https://maven.apache.org/plugins/maven-dependency-plugin/tree-mojo.htmlNote that Maven now has a JSON format!