{"id":18887727,"url":"https://github.com/nebula-plugins/nebula-dependency-recommender-plugin","last_synced_at":"2025-04-05T06:08:24.396Z","repository":{"id":23341632,"uuid":"26702191","full_name":"nebula-plugins/nebula-dependency-recommender-plugin","owner":"nebula-plugins","description":"Leave off version numbers in your dependencies section and have versions recommended by several possible sources.","archived":false,"fork":false,"pushed_at":"2025-03-08T21:57:10.000Z","size":1542,"stargazers_count":71,"open_issues_count":19,"forks_count":30,"subscribers_count":25,"default_branch":"main","last_synced_at":"2025-03-29T05:08:34.859Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Groovy","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nebula-plugins.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-11-16T03:16:04.000Z","updated_at":"2025-03-08T21:56:51.000Z","dependencies_parsed_at":"2023-02-10T12:31:02.310Z","dependency_job_id":"cc4db268-e8fd-46e6-a3ca-6dd7125d5692","html_url":"https://github.com/nebula-plugins/nebula-dependency-recommender-plugin","commit_stats":null,"previous_names":[],"tags_count":85,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nebula-plugins%2Fnebula-dependency-recommender-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nebula-plugins%2Fnebula-dependency-recommender-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nebula-plugins%2Fnebula-dependency-recommender-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nebula-plugins%2Fnebula-dependency-recommender-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nebula-plugins","download_url":"https://codeload.github.com/nebula-plugins/nebula-dependency-recommender-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247294539,"owners_count":20915340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T07:39:15.137Z","updated_at":"2025-04-05T06:08:24.366Z","avatar_url":"https://github.com/nebula-plugins.png","language":"Groovy","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Maintenance Mode Support\n\nWe don't plan add new functionality to this plugin. We focus mainly on compatibility with new version of Gradle.\n\nMuch of the functionality of this project can be replicated by a new feature coming in `Gradle 4.6` and the default in `Gradle 5.0`. We would recommend new users seeking this functionality to adopt the feature directly from the Gradle. You can find details [Sharing dependency versions between projects](https://docs.gradle.org/current/userguide/platforms.html)\n\nWe are actively working on switching from this plugin to Gradle Platform support too with eventual long term goal to deprecate this plugin.\n\n# Nebula Dependency Recommender\n\n![Support Status](https://img.shields.io/badge/nebula-maintence-orange.svg)\n[![Gradle Plugin Portal](https://img.shields.io/maven-metadata/v/https/plugins.gradle.org/m2/com.netflix.nebula/nebula-dependency-recommender/maven-metadata.xml.svg?label=gradlePluginPortal)](https://plugins.gradle.org/plugin/com.netflix.nebula.dependency-recommender)\n[![Maven Central](https://img.shields.io/maven-central/v/com.netflix.nebula/nebula-dependency-recommender)](https://maven-badges.herokuapp.com/maven-central/com.netflix.nebula/nebula-dependency-recommender)\n![Build](https://github.com/nebula-plugins/nebula-dependency-recommender-plugin/actions/workflows/nebula.yml/badge.svg)\n[![Apache 2.0](https://img.shields.io/github/license/nebula-plugins/nebula-dependency-recommender-plugin.svg)](http://www.apache.org/licenses/LICENSE-2.0)\n\nA Gradle plugin that allows you to leave off version numbers in your dependencies section and have versions recommended by several possible sources.  The most familiar recommendation provider that is supported is the Maven BOM (i.e. Maven dependency management metadata).  The plugin will control the versions of any dependencies that do not have a version specified.\n\nTable of Contents\n=================\n\n  * [Nebula Dependency Recommender](#nebula-dependency-recommender)\n    * [Usage](#usage)\n    * [Dependency recommender configuration](#dependency-recommender-configuration)\n    * [Built-in recommendation providers](#built-in-recommendation-providers)\n    * [Producing a Maven BOM for use as a dependency recommendation source](#producing-a-maven-bom-for-use-as-a-dependency-recommendation-source)\n    * [Version selection rules](#version-selection-rules)\n      * [1. Forced dependencies](#1-forced-dependencies)\n      * [2. Direct dependencies with a version qualifier](#2-direct-dependencies-with-a-version-qualifier)\n      * [3.  Dependency recommendations](#3--dependency-recommendations)\n      * [4.  Transitive dependencies](#4--transitive-dependencies)\n    * [Conflict resolution and transitive dependencies](#transitive-dependencies)\n    * [Accessing recommended versions directly](#accessing-recommended-versions-directly)\n    * [Notes on POMs Generated by Gradle maven-publish](#9-notes-on-poms-generated-by-gradle-maven-publish)\n\n\n## 1. Dependency recommender configuration\n\nDependency recommenders are the source of versions.  If more than one recommender defines a recommended version for a module, the last recommender specified will win.\n\n```groovy\ndependencyRecommendations {\n  propertiesFile uri: 'http://somewhere/extlib.properties', name: 'myprops'\n}\n\ndependencies {\n  nebulaRecommenderBom 'netflix:platform:latest.release@pom'\n  implementation 'com.google.guava:guava' // no version, version is recommended\n  implementation 'commons-lang:commons-lang:2.6' // I know what I want, don't recommend\n  implementation project.recommend('commmons-logging:commons-logging', 'myprops') // source the recommendation from the provider named myprops'\n}\n```\n\nYou can also specify bom lookup via a configuration\n ```groovy\n dependencies {\n   nebulaRecommenderBom 'test.nebula:bom:1.0.0@pom'\n }\n ```\n\n## 2. Built-in recommendation providers\n\nSeveral recommendation providers pack with the plugin.  The file-based providers all a shared basic configuration that is described separately.\n\n* [File-based providers](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/File-Based-Providers)\n\t* [Maven BOM](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Maven-BOM-Provider)\n\t* [Properties file](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Properties-File-Provider)\n\t* [Nebula dependency lock](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Dependency-Lock-Provider)\n* [Map](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Map-Provider)\n* [Custom](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Custom-Provider)\n\n## 3. Producing a Maven BOM for use as a dependency recommendation source\n\nSuppose you want to produce a BOM that contains a recommended version for commons-configuration.\n\n```groovy\nbuildscript {\n    repositories { mavenCentral() }\n    dependencies { classpath 'com.netflix.nebula:nebula-dependency-recommender:4.+' }\n}\n\napply plugin: 'maven-publish'\napply plugin: 'com.netflix.nebula.dependency-recommender'\n\ngroup = 'netflix'\n\nconfigurations { implementation }\nrepositories { mavenCentral() }\n\ndependencies {\n   implementation 'commons-configuration:commons-configuration:1.6'\n}\n\npublishing {\n    publications {\n        parent(MavenPublication) {\n            // the transitive closure of this configuration will be flattened and added to the dependency management section\n            nebulaDependencyManagement.fromConfigurations { configurations.implementation }\n\n            // alternative syntax when you want to explicitly add a dependency with no transitives\n            nebulaDependencyManagement.withDependencies { 'manual:dep:1' }\n\n            // the bom will be generated with dependency coordinates of netflix:module-parent:1\n            artifactId = 'module-parent'\n            version = 1\n\n            // further customization of the POM is allowed if desired\n            pom.withXml { asNode().appendNode('description', 'A demonstration of maven POM customization') }\n        }\n    }\n    repositories {\n        maven {\n           url = \"$buildDir/repo\" // point this to your destination repository\n        }\n    }\n}\n```\n\nThe resultant BOM would look like this:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cproject xmlns=\"http://maven.apache.org/POM/4.0.0\" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\n  \u003cmodelVersion\u003e4.0.0\u003c/modelVersion\u003e\n  \u003cgroupId\u003enetflix\u003c/groupId\u003e\n  \u003cartifactId\u003emodule-parent\u003c/artifactId\u003e\n  \u003cversion\u003e1\u003c/version\u003e\n  \u003cpackaging\u003epom\u003c/packaging\u003e\n  \u003cdependencyManagement\u003e\n    \u003cdependencies\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-digester\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-digester\u003c/artifactId\u003e\n        \u003cversion\u003e1.8\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-logging\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-logging\u003c/artifactId\u003e\n        \u003cversion\u003e1.1.1\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-lang\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-lang\u003c/artifactId\u003e\n        \u003cversion\u003e2.4\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-configuration\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-configuration\u003c/artifactId\u003e\n        \u003cversion\u003e1.6\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-beanutils\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-beanutils\u003c/artifactId\u003e\n        \u003cversion\u003e1.7.0\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-collections\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-collections\u003c/artifactId\u003e\n        \u003cversion\u003e3.2.1\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003ecommons-beanutils\u003c/groupId\u003e\n        \u003cartifactId\u003ecommons-beanutils-core\u003c/artifactId\u003e\n        \u003cversion\u003e1.8.0\u003c/version\u003e\n      \u003c/dependency\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003emanual\u003c/groupId\u003e\n        \u003cartifactId\u003edep\u003c/artifactId\u003e\n        \u003cversion\u003e1\u003c/version\u003e\n      \u003c/dependency\u003e\n    \u003c/dependencies\u003e\n  \u003c/dependencyManagement\u003e\n  \u003cdescription\u003eA demonstration of maven POM customization\u003c/description\u003e\n\u003c/project\u003e\n```\n\n## 4. Version selection rules\n\nThe hierarchy of preference for versions is:\n\n### 4.1. Forced dependencies\n\n```groovy\nconfigurations.all {\n    resolutionStrategy {\n        force 'commons-logging:commons-logging:1.2'\n    }\n}\n\ndependencyRecommendations {\n   map recommendations: ['commons-logging:commons-logging': '1.1']\n}\n\ndependencies {\n   implementation 'commons-logging:commons-logging' // version 1.2 is selected\n}\n```\n\n### 4.2. Direct dependencies with a version qualifier\n\nDirect dependencies with a version qualifier trump recommendations, even if the version qualifier refers to an older version.\n\n```groovy\ndependencyRecommendations {\n   map recommendations: ['commons-logging:commons-logging': '1.2']\n}\n\ndependencies {\n   implementation 'commons-logging:commons-logging:1.0' // version 1.0 is selected\n}\n```\n\n### 4.3.  Dependency recommendations\n\nThis is the basic case described elsewhere in the documentation;\n\n```groovy\ndependencyRecommendations {\n   map recommendations: ['commons-logging:commons-logging': '1.0']\n}\n\ndependencies {\n   implementation 'commons-logging:commons-logging' // version 1.0 is selected\n}\n```\n\n### 4.4.  Transitive dependencies\n\nTransitive dependencies interact with the plugin in different ways depending on which of two available strategies is selected.\n\n#### 4.4.1.  `ConflictResolved` Strategy (default)\n\nConsider the following example with dependencies on `commons-configuration` and `commons-logging`.  `commons-configuration:1.6` depends on `commons-logging:1.1.1`.  In this case, the transitive dependency on `commons-logging` via `commons-configuration` is conflict resolved against the recommended version of 1.0 if we have a direct on `commons-logging`.  Normal Gradle conflict resolution selects 1.1.1.\n\n```groovy\ndependencyRecommendations {\n   strategy ConflictResolved // this is the default, so this line is NOT necessary\n   map recommendations: ['commons-logging:commons-logging': '1.0']\n}\n\ndependencies {\n   implementation 'commons-logging:commons-logging'\n   implementation 'commons-configuration:commons-configuration:1.6'\n}\n```\n\n#### 4.4.2.  `OverrideTransitives` Strategy\n\nIn the following example version `commons-logging:commons-logging:1.0` is selected even though `commons-logging` is not explicitly mentioned in dependencies. This would not work with the ConflictResolved strategy:\n\n```groovy\ndependencyRecommendations {\n   strategy OverrideTransitives\n   map recommendations: ['commons-logging:commons-logging': '1.0']\n}\n\ndependencies {\n   implementation 'commons-configuration:commons-configuration:1.6'\n}\n```\n\n#### 4.4.3.  Bubbling up recommendations from transitives\n\nIf no recommendation can be found in the recommendation sources for a dependency that has no version, but a version is provided by a transitive, the version provided by the transitive is applied.  In this scenario, if several transitives provide versions for the module, normal Gradle conflict resolution applies.\n\n```groovy\ndependencyRecommendations {\n   map recommendations: ['some:other-module': '1.1']\n}\n\ndependencies {\n   implementation 'commons-configuration:commons-configuration:1.6'\n   implementation 'commons-logging:commons-logging' // version 1.1.1 is selected\n}\n```\n\n## 5. Conflict resolution and transitive dependencies\n\n* [Resolving differences between recommendation providers](https://github.com/nebula-plugins/nebula-dependency-recommender/wiki/Resolving-Differences-Between-Recommendation-Providers)\n\n## 6. Accessing recommended versions directly\n\nThe `dependencyRecommendations` container can be queried directly for a recommended version:\n\n```groovy\ndependencyRecommendations.getRecommendedVersion('commons-logging', 'commons-logging')\n```\n\nThe `getRecommendedVersion` method returns `null` if no recommendation is found.\n\n## 7. Strict Mode\n\n```groovy\ndependencyRecommendations {\n    strictMode = true\n}\n```\n\nStrict mode will cause the plugin to fail if a dependency version is omitted and not found in a recommendation source.\n\n## 8. Notes on POMs Generated by Gradle maven-publish\n\nGradle requires that version numbers are present in the dependencies block to create a valid POM file that includes version numbers. To fix the issue this causes when using the dependency-recommender plug-in, apply the `nebula.maven-resolved-dependencies` plug-in from the [nebula-publishing-plugin](https://github.com/nebula-plugins/nebula-publishing-plugin) set.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnebula-plugins%2Fnebula-dependency-recommender-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnebula-plugins%2Fnebula-dependency-recommender-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnebula-plugins%2Fnebula-dependency-recommender-plugin/lists"}