remove dependencyManagement from published pom

The build enforces minimum constraints on its transitive dependencies, e.g. by build plugins or testing libraries, to avoid supply chain attacks against the CI (e.g. codecov breach). These are internal minimum version requirements for building the library, not dependencies that impact a user's build. However, Gradle will declare these in the pom's dependencyManagement section despite not being part of the api and mvnrepository.com will warn about possible vulnerabilities for them.
ben-manes · Dec 3, 2022 · 396a940 · 396a940
1 parent 10dc2c4
commit 396a940
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/build.gradle b/build.gradle
@@ -76,7 +76,6 @@ subprojects {
   }
 
   dependencies {
-    implementation platforms.collect { platform(it) }
     annotationProcessor platforms.collect { platform(it) }
 
     testImplementation libraries.guava
@@ -87,6 +86,7 @@ subprojects {
     testImplementation testLibraries.hamcrest
     testImplementation testLibraries.awaitility
     testImplementation testLibraries.osgiCompile
+    testImplementation platforms.collect { platform(it) }
 
     testRuntimeOnly testLibraries.osgiRuntime
     testRuntimeOnly testLibraries.junitEngines
@@ -130,8 +130,11 @@ tasks.named('dependencyUpdates').configure {
   outputFormatter { result ->
     def reporter = new PlainTextReporter(project, revision, gradleReleaseChannel)
     result.exceeded.dependencies.removeIf { dependency ->
-      result.current.dependencies.add(dependency)
-      dependency.group.startsWith('org.ops4j')
+      if (dependency.group.startsWith('org.ops4j')) {
+        result.current.dependencies.add(dependency)
+        return true
+      }
+      return false
     }
     reporter.write(System.out, result)
   }

diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
@@ -27,7 +27,7 @@ ext {
   versions = [
     autoValue: '1.10.1',
     cache2k: '2.6.1.Final',
-    checkerFramework: '3.27.0',
+    checkerFramework: '3.28.0',
     coherence: '22.06.2',
     commonsCompress: '1.22',
     commonsLang3: '3.12.0',
@@ -90,7 +90,7 @@ ext {
     osgiUtilPromise: '1.2.0',
   ]
   pluginVersions = [
-    bnd: '6.3.1',
+    bnd: '6.4.0',
     checkstyle: '10.5.0',
     coveralls: '2.12.0',
     dependencyCheck: '7.3.2',

diff --git a/gradle/publish.gradle b/gradle/publish.gradle
@@ -37,6 +37,10 @@ publishing {
         url = 'https://github.com/ben-manes/caffeine'
         inceptionYear = '2014'
 
+        withXml {
+          asNode().remove(asNode().dependencyManagement)
+        }
+
         scm {
           url = 'https://github.com/ben-manes/caffeine'
           connection = 'scm:git:https://github.com/ben-manes/caffeine.git'