Specifies if the build should be failed

[KamilKrysztofiak]

Hi,

we have the following case within the team:

As a developer I want to see how I can check the topicality for my dependencies for my application in a proper way.

We perform a dependency check using the versions-maven-plugin for topicality inside the stage of the jenkins pipeline.

How we can ensure that the build fails in case if e.g. a depedency has a major update available or e.g.
we have more than 5 dependencies which require a major update etc.
I didn't see the possibility in the plugin configuration or maybe I overlook it.

Best regards,
Kamil

[schdief]

having the same issue, would be great to have this implemented or explained

[lestephane]

Same issue here, but the summary is a bit confusing.

Suggested rewording:
"There should be a configurable way to fail the build when dependency and / or plugin updates are available"

[binkley]

I'm working on an article on "Modern Java/JVM Build Practices", and this plugin is one of the recommendations for Maven projects (https://github.com/ben-manes/gradle-versions-plugin is the counterpart for Gradle projects).

I'd like to offer advice on failing the build if plugins/dependencies are out of date -- with an eye to helping teams that want explicit version exclusions when needed.

So this issue is important for me. What do you suggest?

[github-actions]

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[andrzejj0]

Hi all. Is there still popular interest in having this feature implemented?

[hugoheden]

Hi all. Is there still popular interest in having this feature implemented?

Yes! This feature would simplify life :-)

[andrzejj0]

Ok, I'm working on it.

But it will be done as an Enforcer rule. So, it will have to be used in combination with the Enforer plugin. I'll describe how to do it in the Examples section.

In a very short example:

  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <goals>
          <goal>enforce</goal>
        </goals>
        <configuration>
          <rules>
            <maxDependencyUpdates>
              <maxUpdates>0</maxUpdates>
              <ignoreMinorUpdates>true</ignoreMinorUpdates>
            </maxDependencyUpdates>
          </rules>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>versions-maven-plugin</artifactId>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>

The above configuration will fail if it discovers any dependencies with major updates. Minor and less updates will be ignored.

[hugoheden]

Sounds reasonable. Is there a separate github "Issue" where your work can be discussed?

An idea is to make it possible to suppress versions that are not suitable to update to. For example, a project might feel that they are not ready to move to Spring Boot 3 (whenever that is released). The project "dependency-check-maven" supports suppressions (of false positives when looking for vulnerabilities). A suppression can even have an expiry date. In our case here one would be able to express that "we are not ready to move to Spring Boot now, but in one month we'll have time, and we should do it then"

[andrzejj0]

I think this could best be discussed here.

A feature like you describe is already present in version maven plugin though - dependency includes/excludes, which could be used to filter GAV regex patterns which are or aren't to be considered.

This could be used to filter out spring boot or for example just instruct the plugin to check a select set of dependencies.

[binkley]

Checking on how this is looking. Is there a version I can try the enforcer feature with?

[andrzejj0]

Yes, it's released as of 2.14.0.

[andrzejj0]

Please see https://www.mojohaus.org/versions/versions-enforcer/index.html