Apache
/
maven
mirror of https://github.com/apache/maven.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MNG-5818: Disallow the programmatic injection of project dependencies 

The first step here is deprecating the publicly accessible method that allows
plugins to inject dependencies. The only plugin I currently know of that does
this is the cobertura-maven-plugin. Looking at that plugin it appears the user
can specify the cobertura dependency for the instrumentation process but if
they do not the plugin attempts to inject the dependency. I believe the path
forward here is making sure these types of plugins instruct their users to
add the dependency explicitly.

I'm going to try and create a call-graph for all of Maven Central with my
first test to see if I can accurately detect all usages of MavenProject.setDependencyArtifacts
of artifact in Maven Central.
This commit is contained in:
Jason van Zyl 2015-04-30 21:39:28 -04:00
parent 1d148be82b
commit 4567c8319e
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
maven-core/src/main/java/org/apache/maven/project/MavenProject.java
View File

@ -995,11 +995,13 @@ public class MavenProject
* @return {@link Set} < {@link Artifact} > * @return {@link Set} < {@link Artifact} >
* @see #getArtifacts() to get all transitive dependencies * @see #getArtifacts() to get all transitive dependencies
*/ */
@Deprecated
public Set<Artifact> getDependencyArtifacts() public Set<Artifact> getDependencyArtifacts()
{ {
return dependencyArtifacts; return dependencyArtifacts;
} }
@Deprecated
public void setDependencyArtifacts( Set<Artifact> dependencyArtifacts ) public void setDependencyArtifacts( Set<Artifact> dependencyArtifacts )
{ {
this.dependencyArtifacts = dependencyArtifacts; this.dependencyArtifacts = dependencyArtifacts;