fix: backward-compatible validation for old lockfiles#1573
Draft
algomaster99 wants to merge 12 commits into
Draft
fix: backward-compatible validation for old lockfiles#1573algomaster99 wants to merge 12 commits into
algomaster99 wants to merge 12 commits into
Conversation
Member
Author
|
@copilot resolve the merge conflicts in this pull request |
Contributor
Resolved. I merged |
…parentPom/extensions Add 6 explicit Config flags (includeBoms, includeParentPom, includeMavenExtensions, allowBomValidationFailure, allowParentPomValidationFailure, allowMavenExtensionsValidationFailure) following the existing includeEnvironment / allowEnvironmentalValidationFailure pattern. Backward compat is automatic: old lockfiles lack these fields in JSON so Gson deserialises all include* as false, causing all three optional comparisons to be skipped. New lockfiles store include*=true and all comparisons are enabled. ValidateChecksumMojo now uses a 4-phase comparison driven by Config flags instead of heuristic auto-detection (lockFileHasParentPomData, lockFileHasNodeBomData etc.). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
algomaster99
force-pushed
the
fix/backward-compat-validate
branch
from
a9e0093 to
1de1dca
Compare
Config gained boms/parentPom/extensions fields in 5bfa33f; the test's storedConfig() helper still called the old 9-arg constructor, breaking test-compile. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… fixture After the refactor to explicit Config flags (5bfa33f), validation gates on config.isIncludeMavenExtensions(). The old fixture lacked this field so Gson defaulted it to false, skipping extension checksum validation and causing the test to pass instead of fail. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The pom.xml was setting includeMavenPlugins=true, but the stored lockfile had mavenPlugins=[]. This caused Phase 1 (plugin equality) to fail before Phase 4 (extension checksum) was reached, so the build failed without printing "Missing extensions" in stdout. Setting includeMavenPlugins=false in both pom.xml and the lockfile config lets Phase 1 pass and Phase 4 correctly detect the tampered extension checksum. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
algomaster99
commented
Jun 1, 2026
Comment on lines
+67
to
+77
| @Parameter(property = "includeParentPom") | ||
| protected String includeParentPom; | ||
|
|
||
| @Parameter(property = "allowParentPomValidationFailure") | ||
| protected String allowParentPomValidationFailure; | ||
|
|
||
| @Parameter(property = "includeMavenExtensions") | ||
| protected String includeMavenExtensions; | ||
|
|
||
| @Parameter(property = "allowMavenExtensionsValidationFailure") | ||
| protected String allowMavenExtensionsValidationFailure; |
Member
Author
There was a problem hiding this comment.
These should be Boolean like others.
| ], | ||
| "metaData": { | ||
| "config": { | ||
| "includeMavenPlugins": true, |
Member
Author
There was a problem hiding this comment.
what is wrong with keeping it true?
Member
Author
|
@copilot can you take care of the reviews. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The changes fix backward-compatible validation for lockfiles generated by older plugin versions. This will also fix #1562.
Problem
Validating a lockfile generated by an older plugin version with the current plugin (5.16.0) fails with a validation error, even though the project's dependencies haven't changed. The root cause is that 5.16.0 added three new fields to the lockfile format:
Solution
6 flags are added:
includeBomsincludeParentPomincludeMavenExtensionsallowBomValidationFailureallowParentPomValidationFailureallowMavenExtensionsValidationFailureNow, old lockfiles lack
includeParentPomso the validation will now skip comparingparentPomcomparison.allowParentPomValidationFailureneed not be specified.allowParentPomValidationFailureis only needed whenincludeParentPomis true.ToDo:
generateandvalidategoal #1575trueby default.