[keycloak-dev] Feedback about our BOMs

Sebastien Blanc sblanc at redhat.com
Fri Mar 10 11:50:03 EST 2017


One of the requirement to get added on the start.spring.io website is to
have BOMs and that is what we did. But now they are reviewing our request
and I got this as remark :

The version.keycloak version in your bom doesn't look right to me. If you
import a bom of version A.B.C it makes no sense to ask for D.E.F. (a
dependency may have been added/remove in that version). I'd rather
hard-code the version in each dependency (that will be updated by the
release process the same way as the property anyway). Also, that bom is a
child of your main pom which is usually a bad idea. I can see that you have
a repositories definition there that is going to pollute the Maven build.
Worse, you inherit from the dependency management of the whole
infrastructure (including Jackson, log4j and a bunch of 3rd party
libraries). We can't accept a bom that does that as it conflicts with
Spring Boot's dependency management.

Does that make all sense to you ? TBH I'm not a BOM expert but looks like
it make sense (at least for not using the keycloak parent pom)

More information about the keycloak-dev mailing list