Problem Description
When using Gradle's Java Platform plugin for centralized version management, the projectHealth task suggests adding dependencies with explicit versions, even though the versions should be managed centrally through the platform.
This defeats the purpose of using a platform for centralized dependency version management and can lead to version conflicts or inconsistencies.
Current Behavior
See attached demo project:
dependency-analysis.zip
Setup:
- A multi-module Gradle project with:
- A
platform module using the java-platform plugin to define version constraints
- An
app module that depends on the platform and declares dependencies without versions
Platform module (platform/build.gradle):
plugins {
id 'java-platform'
id 'com.autonomousapps.dependency-analysis'
}
dependencies {
constraints {
api 'org.apache.commons:commons-lang3:3.12.0'
api 'com.google.guava:guava:33.5.0-jre'
api 'org.slf4j:slf4j-api:2.0.9'
}
}
App module (app/build.gradle):
plugins {
id 'java-library'
id 'com.autonomousapps.dependency-analysis'
}
dependencies {
implementation platform(project(':platform'))
implementation 'com.google.guava:guava' // No version - managed by platform
}
Code using transitive dependency (app/src/main/java/com/example/Foo.java):
package com.example;
import com.google.common.annotations.Beta;
import com.google.common.util.concurrent.internal.InternalFutures;
import org.jspecify.annotations.NonNull;
public class Foo {
@NonNull
@Beta
String bar() {
InternalFutures.tryInternalFastPathGetFailure(null);
return "Hello World";
}
}
Project Health Report Output:
These transitive dependencies should be declared directly:
implementation 'com.google.guava:failureaccess:1.0.3'
Expected Behavior
The projectHealth task should detect that versions are managed through a platform and suggest dependencies without explicit versions:
These transitive dependencies should be declared directly:
implementation 'com.google.guava:failureaccess'
Why This Matters
- Version Management Consistency: Using explicit versions in consuming modules bypasses the platform's version constraints, creating potential version conflicts
- Maintainability: One of the main benefits of using a platform is having a single source of truth for all dependency versions
- Best Practices: Gradle's official documentation recommends managing versions through platforms, and the advice should align with this best practice
Proposed Solution
The plugin should:
- Detect when a project uses a
platform(...) dependency
- Check if the suggested dependency's version is defined in the platform's constraints
- If yes, suggest the dependency declaration without an explicit version
Alternatively, as a quick fix a flag could be added to suggest dependencies without versions
Problem Description
When using Gradle's Java Platform plugin for centralized version management, the
projectHealthtask suggests adding dependencies with explicit versions, even though the versions should be managed centrally through the platform.This defeats the purpose of using a platform for centralized dependency version management and can lead to version conflicts or inconsistencies.
Current Behavior
See attached demo project:
dependency-analysis.zip
Setup:
platformmodule using thejava-platformplugin to define version constraintsappmodule that depends on the platform and declares dependencies without versionsPlatform module (
platform/build.gradle):plugins { id 'java-platform' id 'com.autonomousapps.dependency-analysis' } dependencies { constraints { api 'org.apache.commons:commons-lang3:3.12.0' api 'com.google.guava:guava:33.5.0-jre' api 'org.slf4j:slf4j-api:2.0.9' } }App module (
app/build.gradle):plugins { id 'java-library' id 'com.autonomousapps.dependency-analysis' } dependencies { implementation platform(project(':platform')) implementation 'com.google.guava:guava' // No version - managed by platform }Code using transitive dependency (
app/src/main/java/com/example/Foo.java):Project Health Report Output:
Expected Behavior
The
projectHealthtask should detect that versions are managed through a platform and suggest dependencies without explicit versions:Why This Matters
Proposed Solution
The plugin should:
platform(...)dependencyAlternatively, as a quick fix a flag could be added to suggest dependencies without versions