Quantcast

Spring Boot starter POMs misusing transitive dependencies

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Spring Boot starter POMs misusing transitive dependencies

M. Justin
The Spring Boot project provides a set of "Starter
<http://docs.spring.io/spring-boot/docs/1.5.1.RELEASE/reference/htmlsingle/#using-boot-starter>"
dependencies.  Per Spring Boot's documentation:

Starters are a set of convenient dependency descriptors that you can
include in your application. You get a one-stop-shop for all the Spring and
related technology that you need, without having to hunt through sample
code and copy paste loads of dependency descriptors. For example, if you
want to get started using Spring and JPA for database access, just include
the spring-boot-starter-data-jpa dependency in your project, and you are
good to go.

The starters contain a lot of the dependencies that you need to get a
project up and running quickly and with a consistent, supported set of
managed transitive dependencies.

From this documentation and elsewhere it seems clear that the starter
dependencies are intended to transitively bring in numerous other
dependencies to be used at both runtime and compile.

Using this mechanism to transitively bring in compile-scoped dependencies
seems to be at odds with the intent of how Maven officially intends them to
be used.  Per the Maven documentation
<https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Scope>,
it is intended that transitive dependencies of compile-scoped dependencies
be the runtime scope, and that all compile dependencies should be
explicitly listed:

it is intended that [transitive dependencies of compile-scoped
dependencies] should be runtime scope instead, so that all compile
dependencies must be explicitly listed - however, there is the case where
the library you depend on extends a class from another library, forcing you
to have available [sic] at compile time. For this reason, compile time
dependencies remain as compile scope even when they are transitive.

Using the dependency:analyze
<https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html>
goal makes this misuse extra clear (as I mentioned in a still-unanswered Stack
Overflow question <https://stackoverflow.com/questions/27994153> from two
years ago).

I am reading things correctly that Spring Boot is misusing this feature,
correct?  Is there a "correct" way that this functionality — conveniently
providing a set of dependencies at set known versions with a single simple
Maven configuration — would better be implemented?  Is this something that
Maven's own dependency mechanism should be extended to allow for (perhaps
with a new dependency scope), or perhaps something better served by a
custom Maven plugin?  Is this something where the realities of transitive
dependencies have changed such that the Maven documentation is no longer
accurate and relevant?  Or is this "not that big of a deal" that one of the
major Java frameworks is misusing its build tool in this manner?
Loading...