2

A BOM is used as an include for dependencies, however it appears that the check for SNAPSHOT versions only occurs after this BOM has been included. If a BOM has no SNAPSHOT mentioned in it, it can be a SNAPSHOT version it self. The problem is that after the release, this SNAPSHOT of the bom is not released.

As you can see this version was released to maven central with a SNAPSHOT bom.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>net.openhft</groupId>
            <artifactId>third-party-bom</artifactId>
            <type>pom</type>
            <version>3.5.0</version>
            <scope>import</scope>
        </dependency>

        <dependency>
            <groupId>net.openhft</groupId>
            <artifactId>chronicle-bom</artifactId>
            <version>1.12.14-SNAPSHOT</version> <!-- latest release plugin allows this -->
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

http://search.maven.org/#artifactdetails%7Cnet.openhft%7Cchronicle-bytes%7C1.5.0%7Cbundle

Is there a plugin to ensure that the BOM is a release version?

While there have been bugs reported for SNAPSHOT dependencies in dependencyManagement this doesn't cover when the bom imported is itself on a SNAPSHOT. Additionally, those bugs have been resolved years ago whereas this issue happens with the most current release.

EDIT: After updating the maven-release-plugin to 2.5.3 I am still able to do a release:prepare with a SNAPSHOT version of our bom

Peter Lawrey
  • 525,659
  • 79
  • 751
  • 1,130
  • maybe the enforcer plugin is able to pick up those violations: https://maven.apache.org/enforcer/enforcer-rules/index.html - haven't tried it with that combination. – wemu May 01 '16 at 10:38
  • 1
    Possible duplicate of [why does maven release plugin allow for SNAPSHOT version in dependency managment?](http://stackoverflow.com/questions/2089246/why-does-maven-release-plugin-allow-for-snapshot-version-in-dependency-managment) – Tunaki May 01 '16 at 11:09
  • It should do that but there's a bug... so the only way to prevent it is to vote for that bug to be fixed I'm afraid. – Tunaki May 01 '16 at 11:10
  • @khmarbaise It seems to be [MRELEASE-454](https://issues.apache.org/jira/browse/MRELEASE-454). Its status is fixed in 2.2.2 but the problem [reappared in 2.4](https://issues.apache.org/jira/browse/MRELEASE-454?focusedCommentId=14445162&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14445162). – Tunaki May 01 '16 at 11:21
  • @Tunaki while those bugs are related, they have been resolved. – Peter Lawrey May 01 '16 at 11:22
  • @Tunaki You are referencing Bugs which already have been fixed. Furthermore referencing old releases (2.4 from 2012) https://maven.apache.org/maven-release/maven-release-plugin/ Currently 2.5.3 is the uptodate one..? – khmarbaise May 01 '16 at 11:29
  • @PeterLawrey Which version of the maven-release-plugin do you use for your build? – khmarbaise May 01 '16 at 11:29
  • @khmarbaise I was using an older version but have found `2.5.3` also allows SNAPSHOT `bom` in a release. – Peter Lawrey May 01 '16 at 11:48
  • Correct, all the issues referenced [here](http://stackoverflow.com/a/2091852/1743880) are marked as resolved (comments on the issues indicate otherwise though). Still, the plugin should do that so I believe the linked answer answers this question. It just needs to be updated to mention that the issue is still present with the latest version. – Tunaki May 01 '16 at 12:00
  • 1
    @PeterLawrey If you have found out then please open a [new jira ticket for it that there is a problem with it](https://issues.apache.org/jira/browse/MRELEASE)... – khmarbaise May 01 '16 at 12:17
  • @khmarbaise for some reason, I couldn't work out how to do this before, but I can now https://issues.apache.org/jira/browse/MRELEASE-949 – Peter Lawrey May 01 '16 at 17:47

0 Answers0