I'm currently running into issues with incorrectly build dependencies that although are said to be releases, are actually dependent on snapshots. To identify "snapshot dependencies" (both transitive and direct), I'm using this mvn dependency:tree command:
mvn dependency:tree -Dincludes=:::*-SNAPSHOT
This worked pretty well, until I hit the following scenario: Someone must have taken a snapshot, and without changing anything else manually uploaded it as a release. What they didn't do, is to change the version of the parent pom which - yes, you guessed it right! - is a snapshot.
What happened also, to make the situation even worse, that snapshot parent pom was then deleted, and the build was failing because of the missing transitive snapshot pom dependency. I didn't hit the problem locally because without noticing I had downloaded it to my local mvn repo, but the CI build on a new slave that had an empty maven repository couldn't pull it.
So, I'm wondering if there's any way for finding all snapshot dependencies (pom and jar), including the transitive ones.
There's a question here that somewhat looked similar at the first glance: Maven dependency tree and pom dependencies It says that you can't do this with the maven dependency plugin.
I also found that since v2.9 there's the dependency:display-ancestors goal, but it only works on ancestors of the current pom, not on ancestors of the dependencies.
So, is there any other way how to figure this out - if not with the maven dependency plugin, then maybe somehow else?
In this post, someone wrote a custom plugin to enhance the dependency:display-ancestors functionality: Maven dependency tree and pom dependencies Is writing another custom plugin the only way for how to do this?
Or is there any kind of check that can also be run when creating a release to make sure that it's not dependent on any snapshots (incl. pom snapshots) and fail the build / stop the release if anything like that is discovered?
Being dependent on bad releases like that is really annoying and it would be really good to be able to analyze your dependencies one way or another to prevent this before things actually break, or worse, suddenly start changing quietly without you recognizing the problem until you get weird runtime issues.