Fork me on GitHub

Locking snapshot dependencies

If your pom contains a lot of -SNAPSHOT dependencies and those -SNAPSHOT dependencies are a moving target, it can sometimes be helpful to temporarily replace the -SNAPSHOT with a locked -YYYYMMDD.HHMMSS-NNN snapshot. In the long term, you will need to return to the -SNAPSHOT dependencies and then replace them with their release version, but if you need a short term semi-reproducible build, locked -SNAPSHOTs can sometimes be a useful hack.

A pom will most likely specify -SNAPSHOT versions for certain dependencies.

<dependencies>

<dependency>
  <groupId>org.codehaus.cargo</groupId>
  <artifactId>cargo-core-api</artifactId>
  <version>1.0-SNAPSHOT</version>
</dependency>

</dependencies>

Using the lock-snapshots goal, the version can be locked down to the specific timestamped snapshot version used in the build.

mvn versions:lock-snapshots

The pom dependencies are modified to look like the following.

<dependencies>

<dependency>
  <groupId>org.codehaus.cargo</groupId>
  <artifactId>cargo-core-api</artifactId>
  <version>1.0-20081117.213112-16</version>
</dependency>

</dependencies>

You can restrict which dependencies should have their -SNAPSHOT versions locked down. For example, the following will only match dependencies that match the groupId “org.codehaus.plexus” and artifactId “plexus-utils”

mvn versions:lock-snapshots -Dincludes=org.codehaus.plexus:plexus-utils

The includes and excludes parameters follow the format groupId:artifactId:type:classifier. Use a comma separated list to specify multiple includes. Wildcards (*) can also be used to match multiple values.

This example will match anything with the groupId “org.codehaus.plexus” and anything with the groupId and artifactId matching “junit”.

mvn versions:lock-snapshots -Dincludes=org.codehaus.plexus:*,junit:junit

By default, both the project/dependencyManagment and project/dependencies sections will be processed. You can use the processDependencies and processDependencyManagement parameters to control which sections are processed.

This example will only process the project/dependencyManagment section of your pom:

mvn versions:lock-snapshots -DprocessDependencies=false

While this example will only process the project/dependencies section of your pom:

mvn versions:lock-snapshots -DprocessDependencyManagement=false