问题
Is there a way e.g. a Maven plug in that can take a list of unwanted/black listed dependencies (direct and transitive) and fails the build if it detects one of listed dependencies?
In my project we strictly want to get rid of Apache Commons Logging and replace it with the SLF4J JCL Bridge. I am aware that we have to exclude the unwanted deps ourselfs but I would like to have the build failed if someone adds a dependency that brings in blacklisted dependency.
回答1:
You can ban some dependencies using the maven-enforcer-plugin.
Here is their example with updates for your exclusion of Apache Commons Logging.
<project>
[...]
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.1.1</version>
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>commons-logging:commons-logging</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
[...]
</project>
The output when running mvn install will be:
[WARNING] Rule 1: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: commons-logging:commons-logging:jar:1.1.1
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
It all ends with a BUILD FAILURE.
回答2:
Yes, the enforcer plugin supports this with its bannedDependencies rule.
来源:https://stackoverflow.com/questions/12794049/blacklist-maven-dependencies