-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a 'bom' to support managing dependencies #1766
Comments
I understand you mean a BOM only with |
It should include org.ops4j.pax.web groupId artifacts, and dependencies. Basically, anything listed in a pax-web-* feature, so downstream users can simply reference 'org.eclipse.jetty/jetty-server' and the version is managed. For example:
|
Come to think of it, pax-web might need separate boms if there are any overlap of transitive deps for pax-web-jetty vs pax-web-tomcat vs pax-web-undertow. |
And the "dependencies" part is what I was afraid of... Because it'd include JavaEE APIs (even the fundamental one - |
The pom section used in a bom is dependencyManagement. You can list all the servlet api options without them being transitive. The dependencyManagement does not mean dependency, it only sets version and scope when referenced by child poms in a dependency section. |
yes yes yes, I just work with BOMs for last few years and I know how messy they can be ;) I like the clean approach of https://repo1.maven.org/maven2/org/springframework/spring-framework-bom/5.3.23/spring-framework-bom-5.3.23.pom - it lists only own managed dependencies. |
@grgrzybek what is a scenario that breaks with boms? If child project imports 2 boms that have different versions, maven will resolve one and the user has the option of using the resolved, or overriding version and scope. The problem with only using ‘own’ managed deps is that there is now a gap from what is listed in the feature. For building offline repos (ie. pax-web + cxf) requires surgery. |
Yes, I understand. We could start with "project-bom" that lists only Pax Web managed deps and add optional, convenient "all-bom" (or "dev-bom", or "user-bom") that lists current dependencies (for example if there was Jetty BOM, I could use it there. The point is that I prefer managing my own dependencies than include one BOM. I trust Spring Framework BOM, but for example, Spring Boot BOM is just too much - I want to control more. But that's personal approach. Let me thing about it - maybe you could create a PR with a suggestion? |
No description provided.
The text was updated successfully, but these errors were encountered: