Thanks for all the quick responses, greatly appreciate it. I’ll have to work with our architects and see if I can steer them away from this, build reproducibility is highest priority.
Thanks again From: Mark Derricutt <m...@talios.com> Sent: Wednesday, April 13, 2022 4:49 PM To: Maven Users List <users@maven.apache.org> Subject: Re: Determine Maven Dependencies after a build I don’t believe there currently is a way for this is native maven. We ended up writing a custom tool/mojo for resolution management using a DSL like: repository https://repo1.maven.org/maven2/<https://repo1.maven.org/maven2> as central; resolve highest org.antlr:antlr4-maven-plugin:[4.10,5.0.0) via central; locked org.antlr:antlr4-maven-plugin:4.10; Which tracks the repositories to check, a range to resolve, and what was resolved/locked ( also tracking deprecated/blacklisted dependencies ). These pom.deps files get attached as artifacts and can be subsequently imported in downstream repos: repository https://nexus.az1.smxk8s.net/repository/maven-public-group;<https://nexus.az1.smxk8s.net/repository/maven-public-group;> import groupId:artifact.bill-of-materials:3.3.150; locked org.antlr:antlr4-maven-plugin:4.10; From here, the actual pom.xml files are rewritten with <version>[4.10]</version> references - locking the build to a specific, locked range version ( for extra banality we also automatically add <exclusions> on * to prevent transitive dependencies. This definitely has problems, but also have benefits and certainly made hot fixes much easier to handle when we had different deployments staggered into production between customer sites. -- "Great artists are extremely selfish and arrogant things" — Steven Wilson, Porcupine Tree On 14/04/2022 at 6:25:47 AM, "Creager, Greg" <greg.crea...@hp.com.invalid<mailto:greg.crea...@hp.com.invalid>> wrote: > I am trying to reproduce a build that was done a week ago. Our maven pom > files use range in many places ([1.0,1.1), when I go look at the pom of the > published project, it just shows the range, not the actual version chosen: > > Published pom: > <dependency> > <groupId>com.hp.cp.dfe.shared</groupId> > <artifactId>common-types</artifactId> > <version>[1.0,1.1)</version> > </dependency> > > > How do I determine exact versions of dependencies used in a prior build? > In Apache ivy the published ivy.xml shows the exact version chosen, I was > expecting maven to have the same and I am assuming I just am not using the > right util. >
