Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MDEP-964] Allowlist org.glassfish:javax.json #459

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[MDEP-964] Allowlist org.glassfish:javax.json #459

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4386f5f
Allowlist org.glassfish:javax.json
elharo Nov 11, 2024
63999bc
integration test
elharo Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/it/projects/analyze/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@
<artifactId>slf4j-simple</artifactId>
<version>2.0.16</version>
</dependency>
<!-- MDEP-964 javax.json is unused but should not be reported -->
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.json</artifactId>
<version>1.1.4</version>
</dependency>
</dependencies>

<build>
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/org/apache/maven/plugins/dependency/analyze/AbstractAnalyzeMojo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
private boolean ignoreAllNonTestScoped;

/**
* Output the xml for the missing dependencies (used but not declared).
* Output the XML for the missing dependencies (used but not declared).
*
* @since 2.0-alpha-5
*/
Expand Down Expand Up @@ -231,7 +231,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
*
* @since 2.10
*/
@Parameter(defaultValue = "org.slf4j:slf4j-simple::")
@Parameter(defaultValue = "org.slf4j:slf4j-simple::,org.glassfish:javax.json::")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How big could this list of hidden default exclude be? and why this javax.json specially?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably less than 100 over time. Each one is an improvement.

javax.json because it's the next one I happened to stumble over when working on our own code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should put it in other list ... when we use it as default it will be overridden when user use own list.

Should be added always, maybe we need a new parameter like useDefaultExcludes or some else ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we need add every dependencies which we need in a specific projects ....
In such way we will have very long list

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we will have a very long list. ChatGPT-4 has roughly 1.8 trillion parameters. In 2025 that's a long list. Here, there might be a few dozen special cases occasionally encountered, though unless someone spends a lot of time on this, we will probably include less than ten. This is a small list.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nevermind how list is long will be lost when user add own excludes, so we should implement it in other way

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you suggest? We could include a base list of dependencies we always ignore and allow the user to add to this list.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you suggest? We could include a base list of dependencies we always ignore and allow the user to add to this list.

exactly - user should have a possibility to not use default excluded list

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want the user to replace the default list then, not simply append to it?

My gut is that we should not warn on anything we're not sure about, and we're never sure about dependencies like slf4j that are commonly used by reflection.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ping. There are two incompatible ways forward here and both have been requested by different people at different times. Either would be better than the status quo so we should choose one.

Option 1: There is a non-overridable list of dependencies we never warn about when they are declared but not used. A project can append to this list but not replace it.

Option 2: There is an overridable list of dependencies we never warn about when they are declared but not used. Projects can replace the entire list.

I prefer Option 1. It's simpler, and matches what almost everyone wants in practice. It emits fewer warnings and produces less noise. It will not break anyone's build. There are fewer false posiitives.

I'm OK with Option 2 if necessary. I think anything beyond these two options adds unnecessary complexity for no real world purpose.

private String[] ignoredUnusedDeclaredDependencies;

/**
Expand All @@ -251,7 +251,7 @@ public abstract class AbstractAnalyzeMojo extends AbstractMojo {
*
* @since 3.3.0
*/
@Parameter(defaultValue = "org.slf4j:slf4j-simple::")
@Parameter(defaultValue = "org.slf4j:slf4j-simple::,org.glassfish:javax.json::")
private String[] ignoredNonTestScopedDependencies;

/**
Expand Down