Giters

spotbugs / spotbugs

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

Home Page:https://spotbugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

spotbugs-annotations artifact depends on and exports junit-bom

davidburstrom opened this issue · comments

commented

When a project depends on com.github.spotbugs:spotbugs-annotations, it will add the latest JUnit Jupiter BOM to the project classpath. This causes issues for consumers, as adding or bumping spotbugs-annotations will lead to a bump of JUnit, as the BOM ends up in the POM and Gradle module files.

This happens because the BOM is configured to be an implementation dependency (

spotbugs/build.gradle

Line 40 in a9ae3aa

implementation platform('org.junit:junit-bom:5.9.1')
). It would likely be better to add the BOM exclusively to the testImplementation configurations for all projects, as it really shouldn't be leaked to any production code consumers.

commented

Here's more information on the consequences of exporting a platform to downstream consumers: https://docs.gradle.org/current/userguide/platforms.html#sub:platforms-vs-catalog