Dependency Management

This section details some ways to simplify the management of dependency versions.

Jenkins Core BOM

Since version 2.195, Jenkins Core provides a Maven Bill Of Materials (BOM) that centrally defines versions of various libraries used by Jenkins. If you are using Maven to build your plugin, then you can simplify dependency management by importing this BOM, at jenkins.version. Then, dependency versions will automatically be synchronised with whatever version of Jenkins you are building against. This can help to avoid build errors like:

[WARNING] Rule 4: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps. The error(s) are [
Require upper bound dependencies error for commons-codec:commons-codec:1.9 paths to dependency are:
+-org.jenkins-ci.plugins:blueocean-display-url:2.3.1-SNAPSHOT
  +-commons-codec:commons-codec:1.9
and
+-org.jenkins-ci.plugins:blueocean-display-url:2.3.1-SNAPSHOT
  +-org.jenkins-ci.main:jenkins-core:2.195
    +-commons-codec:commons-codec:1.12
,
Require upper bound dependencies error for org.slf4j:jcl-over-slf4j:1.7.25 paths to dependency are:
+-org.jenkins-ci.plugins:blueocean-display-url:2.3.1-SNAPSHOT
  +-org.slf4j:jcl-over-slf4j:1.7.25
and
+-org.jenkins-ci.plugins:blueocean-display-url:2.3.1-SNAPSHOT
  +-org.jenkins-ci.main:jenkins-core:2.195
    +-org.slf4j:jcl-over-slf4j:1.7.26

What this error is saying is that there is a conflict between the versions of commons-codec and jcl-over-slf4j specified by the plugin versus Jenkins. Without using the BOM, you would need to go and update the dependencies in your plugin to match those required by Jenkins, and then keep changing these as your jenkins.version changes. With the BOM all you have to do is import the jenkins-bom for the version of Jenkins you are building against, and the versions of these and other common dependencies will be matched to that version of Jenkins.

To use the Jenkins Core BOM in your plugin, just import the BOM in your plugin’s POM and set slf4jVersion appropriately. For example:

<properties>
        <slf4jVersion>1.7.26</slf4jVersion>
</properties>
<dependencyManagement>
        <dependencies>
                <dependency>
                    <groupId>org.jenkins-ci.main</groupId>
                    <artifactId>jenkins-bom</artifactId>
                    <version>${jenkins.version}</version>
                    <type>pom</type>
                    <scope>import</scope>
                </dependency>
        </dependencies>
</dependencyManagement>

Or, if you are using the plugin-pom (3.52 or later) as the parent, then things are even easier as there is a profile that will manage this for you. The default behaviour of plugin-pom is to not use the BOM, but you can switch on BOM support by setting the Maven property use-jenkins-bom. For example:

	mvn -Djenkins.version=2.195 -Duse-jenkins-bom package

This will use the Core BOM for Jenkins 2.195.

If you want this to become the default for building your plugin, you can avoid having to specify the use-jenkins-bom property on the command line every time by putting it into a .mvn/maven.config file in the root of your plugin project:

	-Duse-jenkins-bom

Jenkins Plugin BOM

See the jenkinsci/bom repository

Dependabot

See the discussion here.

References