December 6, 2017

[EN] How to fix maven

As much as I love java and maven I really dislike the specific version dependency. It leads to projects having outdated libraries when being released with potentially a lot of known and long fixed security issues. Right now I use the versions plugin to update those, but it is obviously not satisfying.

It would make far more sense to have it point to the latest stable version by default. Or the latest stable major version.

"But that will break my builds"

Yes and it should. Maven repositories are not intended to have security fixes backported. If a new version breaks your build, you either have been using deprecated methods for a long time or you should consider using another dependency. Actually this behavior will discourage buggy and bad maintained packages from being used, which is a very nice side effect.

"Suddenly feature xyz disappeared"

Try to work around this or choose a different package to use. This can also be avoided by using the latest major version if the package maintainer follows the "Major.Minor.Revision.Build" scheme (with no feature being dropped within the same major version development cycle).

Further read:
Why I hate virtualenv and pip
My original rant on twitter
The explanation why this feature has been dropped:
"For the sake of reproducible builds ..."

No comments:

Post a Comment