个人中心
gpt4 book ai didi

gradle - 为什么Gradle不使用插件的pom.xml中声明的Maven存储库?

转载 作者:行者123 更新时间:2023-12-03 03:17:44 28 4
gpt4 key购买 nike

考虑到我已经制作了一个自定义的Gradle插件,该插件可在https://repo.example.com/xyz上获得,并按如下所示应用:

// build.gradle.kts

buildscript {
    repositories {
        jcenter()
        maven("https://repo.example.com/xyz")
    }

    dependencies {
        classpath("com.example:xyz-gradle-plugin:1.2.3")
    }
}

apply(plugin = "com.example.xyz")

现在考虑我需要我的插件依赖于第三方库( org.something:abc:4.5.6),该库仅可从另一个自定义Maven存储库(例如 https://repo.something.org/abc)获得。我相应地生成了插件的 pom.xml: 

  <dependencies>
    <dependency>
      <groupId>org.something</groupId>
      <artifactId>abc</artifactId>
      <version>4.5.6</version>
      <scope>compile</scope>
    </dependency>
  </dependencies>
  <repositories>
    <repository>
      <id>xyz</id>
      <url>https://repo.example.com/xyz/</url>
    </repository>
    <repository>
      <id>abc</id>
      <url>https://repo.something.org/abc/</url>
    </repository>
  </repositories>

现在,当我重建并重新发布该插件时,使用该插件的客户端代码无法构建,因为找不到该插件所依赖的 org.something:abc:4.5.6库。显然,该插件的 pom.xml被误解了:从依赖关系信息中提取了相关性信息,而 <repositories/>节却被忽略了。

唯一的解决方法是将 maven("https://repo.something.org/abc")显式添加到使用我的插件的每个项目的 buildscript节中,而我不想强制用户这样做。

有其他解决方案吗?

更新:,已将此信息报告为Gradle团队 issue #8811

最佳答案

引用Gradle团队的回应:

There are actually good reasons for the behavior of Gradle:

  • Gradle places a lot of importance on the source of a dependency. For Gradle, org:foo:1.0 from Maven Central and org:foo:1.0 from JCenter are considered different things. This is why repository ordering and filtering matters.

  • Repository hijacking has been demonstrated as an attack vector and so having a system that effectively, transitively and transparently, allows dependencies to be downloaded from any repository is not safe.

Because of these reasons, this is a change that is unlikely to happen.

There are however options for your plugin:

  • Shadow that exotic dependency into your own plugin

  • Motivate the owner of that library to publish it to a well known repository, or in your plugin's repository

  • Configure your plugin's repository to also mirror that other repository

关于gradle - 为什么Gradle不使用插件的pom.xml中声明的Maven存储库?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55246488/

28 4 0
文章推荐: 戈尔姆 : How to use slice as query destination
文章推荐: gradle - Hyperledger:使用Gradle构建Chaincode
文章推荐: dart - 无定义的私有(private)函数
文章推荐: java - 如何为所有 Gradle 子模块启用 --enable-preview 以便它也保留在 IntelliJ IDEA 中?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com