Support vendoring for Maven #485
Labels
Comments
feelepxyz
added
T: feature-request
|
Just to bump this one, maybe this github action can be an inspiration for it! |
|
Hello, can we have an update on this one? Is this something you still consider implementing? It seems we have some alternatives for Gradle wrapper, for example and #2223 seems to be an active thread. However, I didn't find anything similar for maven as of now. |
|
No updates here @guilhemferr, sorry. We'll post something if there's some movement. |
|
Really disappointing, no progress here. I'm waiting for years for this feature. |
copybara-service bot
pushed a commit
to google/guava
that referenced
this issue
Oct 16, 2023
I set this up with: ``` mvn org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dtype=only-script -Dmaven=3.9.5 ``` It's not obvious to me whether we'd notice any differences between the 3 non-binary types (`source`, `script`, and `only-script`), so I've gone with the one that is newest, given that it sounds theoretically like it involves the fewest steps. (We got a recommendation for the Maven Wrapper [from Ben Manes](https://groups.google.com/g/guava-discuss/c/e5UVvuM9CP8/m/w2H3CjZ7AQAJ).) There does not yet appear to be a way to [make Dependabot automatically update the version of Maven we use](dependabot/dependabot-core#485) (nor the version of the wrapper itself, though I looked less hard for that because it's less important). We've already not kept up with Maven upgrades very carefully—and we might each be using different Maven versions for all I know!—so this isn't necessarily a huge downgrade. Still, we don't want to fall far behind what's on our machines or GitHub CI, so I've at least set myself a calendar reminder to check back every 6 months. RELNOTES=n/a PiperOrigin-RevId: 509334407
copybara-service bot
pushed a commit
to google/guava
that referenced
this issue
Oct 16, 2023
I set this up with: ``` mvn org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dtype=-script -Dmaven=3.9.5 ``` It's not obvious to me whether we'll notice many differences among the 3 non-binary types (`source`, `script`, and `only-script`). I initially went with `only-script`, which is newest, given that it sounded theoretically like it would involve the fewest steps. But I got [an error](https://github.com/google/guava/actions/runs/6536542346/job/17748480689?pr=6783) from the Windows CI: ``` distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found 'https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.5/apache-maven-3.9.5-bin.zip ' ``` I assume that this is a newline-related issue. That error message comes from the `only-script` shell script, and there is no such line in the `script` shell script, so I'm now trying `script`. (It's possible that we should be using `mvnw.cmd` under Windows, so maybe nothing will work until I change our CI to do that.... (We got a recommendation for the Maven Wrapper [from Ben Manes](https://groups.google.com/g/guava-discuss/c/e5UVvuM9CP8/m/w2H3CjZ7AQAJ).) There does not yet appear to be a way to [make Dependabot automatically update the version of Maven we use](dependabot/dependabot-core#485) (nor the version of the wrapper itself, though I looked less hard for that because it's less important). We've already not kept up with Maven upgrades very carefully—and we might each be using different Maven versions for all I know!—so this isn't necessarily a huge downgrade. Still, we don't want to fall far behind what's on our machines or GitHub CI, so I've at least set myself a calendar reminder to check back every 6 months. RELNOTES=n/a PiperOrigin-RevId: 509334407
copybara-service bot
pushed a commit
to google/guava
that referenced
this issue
Oct 16, 2023
I set this up with: ``` mvn org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dtype=-script -Dmaven=3.9.5 ``` It's not obvious to me whether we'll notice many differences among the 3 non-binary types (`source`, `script`, and `only-script`). I initially went with `only-script`, which is newest, given that it sounded theoretically like it would involve the fewest steps. But I got [an error](https://github.com/google/guava/actions/runs/6536542346/job/17748480689?pr=6783) from the Windows CI: ``` distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found 'https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.5/apache-maven-3.9.5-bin.zip ' ``` I assume that this is a newline-related issue. That error message comes from the `only-script` shell script, and there is no such line in the `script` shell script, so I'm now trying `script`. (It's possible that we should be using `mvnw.cmd` under Windows, so maybe nothing will work until I change our CI to do that.... (We got a recommendation for the Maven Wrapper [from Ben Manes](https://groups.google.com/g/guava-discuss/c/e5UVvuM9CP8/m/w2H3CjZ7AQAJ).) There does not yet appear to be a way to [make Dependabot automatically update the version of Maven we use](dependabot/dependabot-core#485) (nor the version of the wrapper itself, though I looked less hard for that because it's less important). We've already not kept up with Maven upgrades very carefully—and we might each be using different Maven versions for all I know!—so this isn't necessarily a huge downgrade. Still, we don't want to fall far behind what's on our machines or GitHub CI, so I've at least set myself a calendar reminder to check back every 6 months. RELNOTES=n/a PiperOrigin-RevId: 509334407
copybara-service bot
pushed a commit
to google/guava
that referenced
this issue
Oct 16, 2023
I set this up with: ``` mvn org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dtype=-script -Dmaven=3.9.5 ``` It's not obvious to me whether we'll notice many differences among the 3 non-binary types (`source`, `script`, and `only-script`). I initially went with `only-script`, which is newest, given that it sounded theoretically like it would involve the fewest steps. But I got [an error](https://github.com/google/guava/actions/runs/6536542346/job/17748480689?pr=6783) from the Windows CI: ``` distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found 'https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.5/apache-maven-3.9.5-bin.zip ' ``` I assume that this is a newline-related issue. That error message comes from the `only-script` shell script, and there is no such line in the `script` shell script, so I'm now trying `script`. (It's possible that we should be using `mvnw.cmd` under Windows, so maybe nothing will work until I change our CI to do that.... (We got a recommendation for the Maven Wrapper [from Ben Manes](https://groups.google.com/g/guava-discuss/c/e5UVvuM9CP8/m/w2H3CjZ7AQAJ).) There does not yet appear to be a way to [make Dependabot automatically update the version of Maven we use](dependabot/dependabot-core#485) (nor the version of the wrapper itself, though I looked less hard for that because it's less important). We've already not kept up with Maven upgrades very carefully—and we might each be using different Maven versions for all I know!—so this isn't necessarily a huge downgrade. Still, we don't want to fall far behind what's on our machines or GitHub CI, so I've at least set myself a calendar reminder to check back every 6 months. RELNOTES=n/a PiperOrigin-RevId: 509334407
copybara-service bot
pushed a commit
to google/guava
that referenced
this issue
Oct 16, 2023
I set this up with: ``` mvn org.apache.maven.plugins:maven-wrapper-plugin:3.2.0:wrapper -Dtype=-script -Dmaven=3.9.5 ``` It's not obvious to me whether we'll notice many differences among the 3 non-binary types (`source`, `script`, and `only-script`). I initially went with `only-script`, which is newest, given that it sounded theoretically like it would involve the fewest steps. But I got [an error](https://github.com/google/guava/actions/runs/6536542346/job/17748480689?pr=6783) from the Windows CI: ``` distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found 'https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.5/apache-maven-3.9.5-bin.zip ' ``` I assume that this is a newline-related issue. That error message comes from the `only-script` shell script, and there is no such line in the `script` shell script, so I'm now trying `script`. (It's possible that we should be using `mvnw.cmd` under Windows, so maybe nothing will work until I change our CI to do that.... (We got a recommendation for the Maven Wrapper [from Ben Manes](https://groups.google.com/g/guava-discuss/c/e5UVvuM9CP8/m/w2H3CjZ7AQAJ).) There does not yet appear to be a way to [make Dependabot automatically update the version of Maven we use](dependabot/dependabot-core#485) (nor the version of the wrapper itself, though I looked less hard for that because it's less important). We've already not kept up with Maven upgrades very carefully—and we might each be using different Maven versions for all I know!—so this isn't necessarily a huge downgrade. Still, we don't want to fall far behind what's on our machines or GitHub CI, so I've at least set myself a calendar reminder to check back every 6 months. RELNOTES=n/a PiperOrigin-RevId: 573917287
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See dependabot/feedback#23 for more details. Will require the same work as other vendoring projects - the best details of what will be required are in #370.
Thanks for the feedback @davidgoate.
The text was updated successfully, but these errors were encountered: