Multi-module update causing RequireUpperBoundDeps maven enforcer error

[rantoniuk]

As I see in #222, Maven multi-module dependency updates are supported. However, it seems kind of update might cause RequireUpperBoundDeps maven enforcer error.
See example: jenkinsci/jira-plugin#228
and error from maven build:

[WARNING] Rule 5: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for org.jenkins-ci.plugins:script-security:1.16 paths to dependency are:
+-org.jenkins-ci.plugins:jira:3.0.16-SNAPSHOT
  +-org.jenkins-ci.plugins:script-security:1.16
and
+-org.jenkins-ci.plugins:jira:3.0.16-SNAPSHOT
  +-org.jenkins-ci.plugins:matrix-project:1.14
    +-org.jenkins-ci.plugins:script-security:1.54
and
+-org.jenkins-ci.plugins:jira:3.0.16-SNAPSHOT
  +-org.jenkins-ci.plugins.workflow:workflow-job:2.0
    +-org.jenkins-ci.plugins.workflow:workflow-support:1.15
      +-org.jenkins-ci.plugins:script-security:1.16
]

I know this is configured via the enforcer in this case, but is it somehow possible to take this into consideration? Sounds also similar to #1545.

[jeffwidman]

👋 Sorry for the slow reply.

We've shipped a number of fixups to Maven parsing lately, even a couple in the last week.

Additionally, our underlying Maven parsing is all regex/ruby, and we want to long term move to using Maven itself as that's much less brittle. So while we're happy to fix bugs that are currently affecting folks, we're not adding new features and for bugs that aren't currently affecting folks we'd rather invest that energy into figuring out how to switch to Maven long term.

I'm going to close, as I assume this either isn't reproducible or isn't currently affecting you. But if I'm wrong please comment and we can re-open.

[deivid-rodriguez]

Had a closer look here and I don't think we support this in any way. Also investigated how one would go about actually implementing it and it would involve parsing the output of mvn validate to figure out which other dependencies we need to update so that transitive dependencies satisfy the upper bound constraints.

We don't want to go that route I think. I'd rather get the maven enforcer plugin provide an easy way to upgrade dependencies while still satisfying the RequireUpperBoundDeps rule, and then we can shell out to that.