introduce transitiveremediation for maven #15375
cforce
started this conversation in
Suggest an Idea
Replies: 1 comment 4 replies
-
This is not practical for two related reasons:
|
Beta Was this translation helpful? Give feedback.
4 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What would you like Renovate to be able to do?
Add support for https://docs.renovatebot.com/configuration-options/#transitiveremediation for maven as well.
If you have any ideas on how this should be implemented, please tell us here.
Maven supports to render the effective pom and so does pin for the run what versions are used even in a dependency tree which allows following upward and check if deps are effected.
If a (future) upgrade of a explicit (still outdated) dependency will also cover to upgrade to a newer transitive dependency version with a fixed issue (e.g. vulnerability) will help to reduce the number of PR's created.
In case a transitive dependency version can not be covered by an upgrade of an explicit dependency specified in pom, there shall be an defaulted to "false" option to add an explicit overriding "pinning" of the transitive childs deps as .... which are marked as to be updated
Is this a feature you are interested in implementing yourself?
No
Beta Was this translation helpful? Give feedback.
All reactions