search

dropbox / dependency-guard

A Gradle plugin that guards against unintentional dependency changes.
Apache License 2.0
390 stars 14 forks source link

Support "allowedFilter" without a baseline file #78

Open qwert2603 opened 1 year ago

qwert2603 commented 1 year ago

One of the possible use cases of the dependencyGuard plugin is to restrict particular dependencies between modules of a multi-module project. For example, to restrict a feature-module as a dependency of a core-module in an Android project.

Such use case can easily be done via allowedFilter parameter of the dependencyGuard configuration. dependencyGuard plugin can be applied in the core-module with allowedFilter = { !it.startsWith("feature-") }. But a baseline file will also be created in such case, though it is not needed. For core-module we don't need to guard against dependencies changes, but only against particular dependencies themselves.

From this follows that there may be some configuration of the dependencyGuard plugin, that allows to specify allowedFilter without a baseline file creation.

One possible solution may be adding special function noBaseline(), that can be assigned to baselineMap to explicitly specify, that a baseline file is not needed. (using baselineMap = { null } for that is less explicit)

dependencyGuard {
    configuration("releaseRuntimeClasspath") {
        modules = true
        allowedFilter = { !it.startsWith("feature-") }
        baselineMap = noBaseline()
    }
}

Another possible solution may be adding parameter guardDiff or baselineFile (default to true), that will control whether a baseline file will be created or not. But this solution has drawbacks:

dependencyGuard {
    configuration("releaseRuntimeClasspath") {
        modules = true
        allowedFilter = { !it.startsWith("feature-") }
        guardDiff = false
    }
}

IMHO, the first solution is preferred, because it is more explicit.

kyhule commented 1 year ago

I've been meaning to create a very similar feature request. Our use case would be to prevent test libraries and SNAPSHOT releases via the allowedFilter without maintaining a baseline. I proposed integrating this plugin but many people had reservations as we have a polyrepo architecture so dependencies are getting bumped in the host application repo with every pull request.

utzcoz commented 4 months ago

I also faced a similar scenario that I/We want to use dependency-guard to guard only specific dependencies, and let other dependencies bumped by automate tools if they don't bump the dependency's version that we want to guard. But current dependency-guard looks like requiring the baseline that contains full list of dependencies. Is it possible to support the feature that this issue proposed?