On Sat, 18 Feb 2023 at 03:03, Mark Waite <mark.earl.wa...@gmail.com> wrote: > > > > On Friday, February 17, 2023 at 9:08:02 AM UTC-7 James Nord wrote: > Hi all, > > What are peoples thoughts on being more (obviously) aggressive on the > required maven version for plugins? > > Currently we set a requirement in the plugin-pom on 3.8.1 so we do not allow > http repositories but nothing else is "enforced". > > I say enforced as we actually have implied but not respected requirements in > much later maven version in the maven-hpi plugin (as dependabot has happily > been suggesting updates and we are happily consuming them). Currently we > have managed to not break because the versions we are compiling against and > the APIs we are using are available in the older versions, but it is a > probably matter of time until this is no longer the case. > > So we could just downgrade the libraries and "jobs a goodun" in the > hpi-plugin, but at the same time there is various deprecated API usage that > we rely on, and maven 3.9 removes a lot of backward compatibility. > > At the same time - going to the "latest release" and then requiring that > means that users could not as easily downgrade (we would need to revert an > update of the plugin in the plugin-pom for example) > > What are peoples thoughts on what version is to be considered "too new" and > what would people think is also acceptable. > > This also ties into maven versions in ci.jenkins.io. > > one suggestion is say 2 weeks after ci.jenkins.io switches plugin builds to > use maven x then would consider it stable enough for use in maven-hpi-plugin? > > > I like the idea of using the most recent maven release in maven-hpi-plugin 2 > weeks after ci.jenkins.io has switched to use it.
Just saying there is no real need of upgrading maven-core dependencies in any maven-plugin to the latest. Whatever you do at runtime the plugin will get maven core API from the current maven version you are executing. upgrading because dependabot says so doesn't have any effect and just confusing (it's like a servlet container you always get the servlet api version from the container) probably better to stay on 3.8.x base... (except the day the plugin will be modify to use some of the new maven 4 apis which is probably not soon :) ) look at a widely plugin such maven-compiler-plugin it only depends on 3.2.5 (https://github.com/apache/maven-compiler-plugin/blob/b225b1c29b1ee2fc2b178d2f2f1b920afe1d9a75/pom.xml#L70) the only real action we could/should? do is having an enforcer rule enforcing the same version as the one declared. > > Mark Waite > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/b60423b5-863c-4e8c-83ae-efac4a217ae5n%40googlegroups.com. -- Olivier Lamy http://linkedin.com/in/olamy -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqSWgWJ%2B%2B%3D4o0cPu1JimoZDJ1oN1Xj5rJpWN%2BNnCL70cSA%40mail.gmail.com.
