Hacker News new | ask | show | jobs
by tonsky 315 days ago
It’s totally fine in Maven, no need to rebuild or repackage anything. You just override version of libinsecure in your pom.xml and it uses the version you told it to
1 comments
zahlman 315 days ago
So you... manually re-lock the parts you need to?
link
aidenn0 315 days ago
Don't forget the part where Maven silently picks one version for you when there are transitive dependency conflicts (and no, it's not always the newest one).
link
deredede 315 days ago
Sure, I'm happy with locking the parts I need to lock. Why would I lock the parts I don't need to lock?
link
skywhopper 314 days ago
Because you can’t know which ones you “need” to lock.
link
lenkite 314 days ago
You can definitely know this. Use

    mvn dependency:tree -Dverbose
Or use maven-enforcer-plugin to fail the build on conflicts.
link