vandmo
commented
10 months ago In principle I think it would be good if dependency-lock-maven-plugin in could have the lock file as the input to dependency resolution instead of just doing a check.
I have experimented with using the lock file instead of dependencyManagement. The "issues" i ran into was how I would create the lock file in those cases. Since I wanted the same versions of spring, netty etc I wanted to use their BOM as input to the locking mechanism and then I ended up with realizing that since I needed an exhaustive dependencyManagement section to generate the lock file I could just as well continue to use that for dependency resolution.
Another thing I have noticed is that Maven likes to downgrade versions of transitive dependencies due to seemingly arbitrary and unrelated changes. So I would need to add guava etc to dependencyManagement as well to stop it from being downgraded.
I don't mind making it possible to be able to use the lock file for dependency management in dependency-lock-maven-plugin but for it to be really useful then the creating of the creating of the lock file would probably need some more input than the dependencies section.
ia3andy
Currently the lockfile is just acting as a check, did you consider using it as dependencyManagement from the Maven plugin?
In our case (mvnpm.org), just checking is not enough as the versions synced on the mvnpm repo and central are different leading to different Maven resolutions.
Also locking the bom mean a quicker resolution on CI.