Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 2.0.10 uses SNAPSHOT dependencies #1053

Closed
slinkydeveloper opened this issue Mar 25, 2019 · 5 comments
Closed

Release 2.0.10 uses SNAPSHOT dependencies #1053

slinkydeveloper opened this issue Mar 25, 2019 · 5 comments

Comments

@slinkydeveloper
Copy link
Contributor

Hi,
Is it ok that release 2.0.10 uses snapshots from transitive dep swagger-parser 1.0.43?

[INFO] +- io.swagger.parser.v3:swagger-parser:jar:2.0.10:compile
[INFO] |  +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.0.10:compile
[INFO] |  |  +- io.swagger:swagger-parser:jar:1.0.43:compile
[INFO] |  |  |  \- io.swagger:swagger-core:jar:1.5.23-SNAPSHOT:compile
[INFO] |  |  |     \- io.swagger:swagger-models:jar:1.5.23-SNAPSHOT:compile
[INFO] |  |  |        \- io.swagger:swagger-annotations:jar:1.5.23-SNAPSHOT:compile
[INFO] |  |  +- io.swagger:swagger-compat-spec-parser:jar:1.0.43:compile
[INFO] |  |  |  +- com.github.java-json-tools:json-schema-validator:jar:2.2.8:compile
[INFO] |  |  |  |  +- com.github.java-json-tools:json-schema-core:jar:1.2.8:compile
[INFO] |  |  |  |  |  +- org.mozilla:rhino:jar:1.7R4:compile
[INFO] |  |  |  |  |  \- com.github.fge:uri-template:jar:0.9:compile
[INFO] |  |  |  |  +- javax.mail:mailapi:jar:1.4.3:compile
[INFO] |  |  |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  |  |  |  +- joda-time:joda-time:jar:2.9.7:compile
[INFO] |  |  |  |  +- com.googlecode.libphonenumber:libphonenumber:jar:8.0.0:compile
[INFO] |  |  |  |  \- net.sf.jopt-simple:jopt-simple:jar:5.0.3:compile
[INFO] |  |  |  +- com.github.fge:json-patch:jar:1.6:compile
[INFO] |  |  |  |  \- com.github.fge:jackson-coreutils:jar:1.6:compile
[INFO] |  |  |  |     \- com.github.fge:msg-simple:jar:1.1:compile
[INFO] |  |  |  |        \- com.github.fge:btf:jar:1.2:compile
[INFO] |  |  |  \- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  |  |     +- org.apache.httpcomponents:httpcore:jar:4.4.4:compile
[INFO] |  |  |     +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  |     \- commons-codec:commons-codec:jar:1.9:compile
[INFO] |  |  +- io.swagger.core.v3:swagger-models:jar:2.0.7:compile
[INFO] |  |  \- io.swagger.parser.v3:swagger-parser-core:jar:2.0.10:compile
[INFO] |  +- io.swagger.parser.v3:swagger-parser-v3:jar:2.0.10:compile
[INFO] |  |  \- io.swagger.core.v3:swagger-core:jar:2.0.7:compile
[INFO] |  |     +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] |  |     +- io.swagger.core.v3:swagger-annotations:jar:2.0.7:compile
[INFO] |  |     \- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  +- org.slf4j:slf4j-ext:jar:1.6.3:compile
[INFO] |  |  \- ch.qos.cal10n:cal10n-api:jar:0.7.4:compile
[INFO] |  \- commons-io:commons-io:jar:2.4:compile
@slinkydeveloper slinkydeveloper changed the title Release 2.0.10 uses SNAPSHOTs Release 2.0.10 uses SNAPSHOT dependencies Mar 25, 2019
@jmini
Copy link
Contributor

jmini commented Mar 25, 2019
edited

I think it is not OK.

Swagger-Parser release 1.0.43 has a dependency to 1.5.23-SNAPSHOT version of io.swagger:swagger-core

I understand that SNAPSHOT can be useful during development (and even there I prefer to work with released version on the master branches. For me using a SNAPSHOT version is only allowed on feature branches -- having a strong rule like this can be discussed, it is a mater of taste).

For releases, having SNAPSHOT in the dependency tree is a bad practice.

Are you using a specific maven profile when you do the release? Maybe we can configure the maven-enforcer-plugin to be activated in the release case?
See https://maven.apache.org/enforcer/enforcer-rules/requireReleaseDeps.html

jmini added a commit to OpenAPITools/swagger-parser that referenced this issue Mar 25, 2019
@jmini
Force usage of a released version of io.swagger:swagger-core
057cedb 
See swagger-api#1053
This was referenced Mar 26, 2019
Merged
Merged
@jmini
Copy link
Contributor

jmini commented Mar 26, 2019

To prevent situations like this in the future, I propose to let maven fail if a release is built with some a SNAPSHOT versions in the dependency tree:

@frantuma frantuma mentioned this issue Mar 26, 2019
Merged
@jakjohnson
Copy link

jakjohnson commented Mar 26, 2019
edited

This makes it mandatory to add https://oss.sonatype.org/content/repositories/snapshots/ as a repository which is not so obvious reading the documentation as the parser release 2.0.10 is not a snapshot version.

@frantuma
Copy link
Member

Thanks @slinkydeveloper for spotting and reporting, and @jmini for the PRs; no snapshot dep should have make it to release, enforcer was planned but unfortunately not yet applied, so thanks again and please use 1.0.44 / 2.0.11 being released in the next hours

@jmini
Copy link
Contributor

jmini commented Mar 26, 2019

Thank you a lot for the quick reaction

@dependabot-preview dependabot-preview bot mentioned this issue Apr 1, 2019
Closed
This was referenced Aug 6, 2019
Closed
Closed
This was referenced Dec 16, 2019
Closed
Open
@renovate renovate bot mentioned this issue Jan 7, 2022
Merged
1 task
@ngeor ngeor mentioned this issue Feb 11, 2022
Merged
1 task
@renovate renovate bot mentioned this issue Feb 22, 2022
Open
1 task
@renovate renovate bot mentioned this issue Apr 27, 2022
Closed
1 task
@renovate renovate bot mentioned this issue May 31, 2022
Closed
1 task
@renovate renovate bot mentioned this issue May 11, 2023
Open
1 task
@renovate renovate bot mentioned this issue Oct 17, 2023
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmini @slinkydeveloper @frantuma @jakjohnson