如何获取maven依赖项列表以及从中获取的存储库 [英] How to get a list of maven dependencies and the repositories they were fetched from

问题描述

我想，给定一个pom.xml文件，展开传递依赖关系，并为每个直接和传递依赖关系列出maven从哪个存储库获取它。

I'd like to, given a pom.xml file, expand the transitive dependencies, and for each direct and transitive dependency, list which repositories maven is fetching it from.

使用 maven-dependency-plugin 我可以

mvn依赖： tree 获取传递依赖关系树，但不包含存储库信息

mvn dependency:tree to get the transitive dependency tree, but no repository info is included

mvn dependency：list-repositories 获取使用的存储库列表，但不包含依赖项信息

mvn dependency:list-repositories to get a list of repositories used, but no dependency info is included

mvn dependency：get -Dartifact =<。 ..> 获取单个工件和传递依赖项，但它似乎比需要的更多，我无法分辨我真正关心的是什么。

mvn dependency:get -Dartifact=<...> to fetch a single artifact and transitive dependencies, but it seems to fetch a lot more than needed and I can't tell which I actually care about.

推荐答案

我不认为有一个插件可以做到这一点。我认为其原因是没有人真正对这类信息感兴趣。

I don't think that there is a plugin that does that. And I think the reason for that is that no one is really interested in that kind of information.

考虑依赖于已发布的工件。一旦将它们下载到您的本地仓库，Maven就不会再打扰它们了（除非您删除它们）;该工件的所有未来解决方案都将通过本地仓库完成。

Consider having dependencies to released artifacts. Once they are downloaded to your local repo, Maven won't bother downloading them again (unless you delete them); all future resolutions to that artifact will be done through the local repo.

当然，文件 _remote.repositories in您的本地repo的工件目录将包含从其下载的repo的符号名称，其实际URL可能随时间推移或可能不同。

Sure, the file _remote.repositories in your local repo's artifact directory will contain the symbolical name of the repo it was downloaded from, whose actual URL might or might not be same over time.

这样的哲学是Maven坐标是全局的。例如，（例如） commons-codec：commons-codec：1.10 的给定版本必须相同，无论它来自何处。否则，如果某些版本根据它们的来源而有所不同，那么一切都会崩溃。因此，没有人关心依赖来自何处。

The philosophy being this is that Maven coordinates are global. For example, a given release of (say) commons-codec:commons-codec:1.10 must be the same regardless of where it came from. Otherwise, if certain releases were to be different depending on where they came from, then everything would fall apart. Because of this, no one cares where dependency came from.

快照依赖是一个不同的故事，但你不应该长时间依赖它们，因为你没有想要根据将来可能发生变化的依赖关系发布你的东西。通常，您可以控制快照依赖关系的来源，因此找出 依赖关系来源的重点变得徒劳无功。

Snapshot dependencies are a different story, but you shouldn't rely on them for too long because you don't want to release your stuff based on dependencies that might change in the future. Usually, you are in control of where you want your snapshot dependencies to come from, so the whole point of finding out where your dependencies come from becomes futile.

有时候，传递依赖关系将包括为Maven指定额外的存储库以从中获取子依赖关系的POM。有时这些存储库被解除或中断，打破了依赖链。在这种情况下，您可能希望在 settings.xml 中阻止或重新路由它们。通过本地仓库中的所有POM进行简单扫描通常足以嗅出它们：

Sometimes though, transitive dependencies will include POMs that specify additional repos for Maven to fetch sub-dependencies from. And sometimes these repositories are decommisioned or discontinued, breaking the dependency chain. In that case, you might want to block or reroute them in your settings.xml. A simple scan through all the POMs in your local repo is usually enough to sniff them out:

# Linux/Unix
%> find <your local repo> -name '*.pom' | xargs grep -c '<repositories>' | grep -v ':0'

这与 mvn依赖：tree一起，应足以确定传递依赖是否依赖于行为不当的存储库。

This, together with mvn dependency:tree, should be enough to find out if a transitive dependency is dependent on a misbehaving repository.

这篇关于如何获取maven依赖项列表以及从中获取的存储库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！