Prevent maven-shade-plugin from exposing <system> dependency?

问题

Thanks to a separate thread, I realized my project's uber-jar had a bug. I create the uber-jar using maven-shade-plugin because I need the more advanced transformer capabilities to merge several ServiceLoader definitions.

So, the issue is that my project has a system-scope compile-time dependency on tools.jar, locating tools.jar on the local machine relative to the value of the java.home sysprop. The bug is that I didn't realize this dependency was:

1. leaking into the dependency-reduced pom.xml of the uber-jar, and
2. even worse, the pattern ${java.home} in the dependency definition was being resolved and hard-coded into the uber-jar's POM. This second part was particularly embarrassing as it reveals the JDK location of the build machine (see line 50 here).

To workaround this problem, I conditionally disabled the profile which created the dependency. All details below are in the <activation> section:

Before:

<profile>
  <id>internal.tools-jar</id>
  <activation>
    <file>
      <exists>${java.home}/../lib/tools.jar</exists>
    </file>
  </activation>
  <dependencies>
    <dependency>
      <groupId>com.sun</groupId>
      <artifactId>tools</artifactId>
      <version>1.8.0</version>
      <scope>system</scope>
      <systemPath>${java.home}/../lib/tools.jar</systemPath>
    </dependency>
  </dependencies>
</profile>

After:

<profile>
  <id>internal.tools-jar</id>
  <activation>
    <jdk>1.8</jdk>
    <file>
      <missing>src/main/java/systems/manifold/Dummy.java</missing> <!-- this file is only present in the uber-jar module, therefore exclude if present -->
    </file>
  </activation>
  <dependencies>
    <dependency>
      <groupId>com.sun</groupId>
      <artifactId>tools</artifactId>
      <version>1.8.0</version>
      <scope>system</scope>
      <systemPath>${java.home}/../lib/tools.jar</systemPath>
    </dependency>
  </dependencies>
</profile>

So, after all that, my question is: is this the best way to prevent this system-scoped dependency from leaking into the uber-jar's dependency-reduced pom.xml?

Thanks in advance,

Kyle

Updated 2018-02-16:

Unfortunately the following configuration in the shade plugin doesn't prevent the system-scope dependency from leaking:

<artifactSet>
  <excludes>
    <exclude>*</exclude>
  </excludes>
</artifactSet>

to the shade plugin's configuration but the resolved system scope dependency still shows up in the POM. Puzzling!

来源：https://stackoverflow.com/questions/48795733/prevent-maven-shade-plugin-from-exposing-system-dependency