Incorrect compile scope dependency on org.apache.maven.plugins:maven-gpg-plugin #3
Description
Hi team,
This issue is to report that the published pom.xml for the com.sendinblue:sib-api-v3-sdk library includes a dependency on org.apache.maven.plugins:maven-gpg-plugin with compile scope.
This dependency appears to be incorrect for the following reasons:
- Plugin Nature: maven-gpg-plugin is a plugin for the Maven build tool, used specifically during the build lifecycle (e.g., for signing artifacts). It does not contain APIs or functionality required for the execution of a client application using the Sendinblue SDK.
- Inappropriate Scope: Dependencies with compile scope are included in the final application classpath. A build plugin should not be on the runtime/compile classpath of an application.
- Classpath Pollution: This transitive dependency brings numerous Maven and Plexus core libraries (e.g., maven-project, maven-artifact, plexus-utils, etc.) into the classpath of the application using the SDK. This causes unnecessary size increase (bloat) and a high risk of version conflicts, especially in complex environments.
Affected Versions:
- 7.0.0 (verified)
- Potentially other versions
Steps to Reproduce:
Create a minimal Maven project.
Add the com.sendinblue:sib-api-v3-sdk dependency to the pom.xml (using one of the affected versions).
<dependency>
<groupId>com.sendinblue</groupId>
<artifactId>sib-api-v3-sdk</artifactId>
<version>[SDK_VERSION]</version>
</dependency>
Run the command mvn dependency:tree.
Observed Behavior:
The output of mvn dependency:tree shows maven-gpg-plugin and its transitive dependencies included under the com.sendinblue:sib-api-v3-sdk node, for example:
[INFO] \- com.sendinblue:sib-api-v3-sdk:jar:[SDK_VERSION]:compile
[INFO] +- com.squareup.okio:okio:jar:1.14.0:compile
[INFO] +- org.threeten:threetenbp:jar:1.3.5:compile
[INFO] \- org.apache.maven.plugins:maven-gpg-plugin:jar:1.5:compile <-- PROBLEM
[INFO] +- org.apache.maven:maven-plugin-api:jar:2.0.6:compile
[INFO] +- org.apache.maven:maven-project:jar:2.0.6:compile
[INFO] | +- org.apache.maven:maven-settings:jar:2.0.6:compile
[INFO] | +- org.apache.maven:maven-profile:jar:2.0.6:compile
[INFO] | +- org.apache.maven:maven-artifact-manager:jar:2.0.6:compile
[INFO] | | +- org.apache.maven:maven-repository-metadata:jar:2.0.6:compile
[INFO] | | \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:compile
[INFO] | \- org.apache.maven:maven-plugin-registry:jar:2.0.6:compile
[INFO] +- org.apache.maven:maven-artifact:jar:2.0.6:compile
[INFO] +- org.apache.maven:maven-model:jar:2.0.6:compile
[INFO] \- org.codehaus.plexus:plexus-utils:jar:3.0.15:compile
(Note: The exact versions of the gpg-plugin's transitive dependencies might vary slightly)
Expected Behavior:
The org.apache.maven.plugins:maven-gpg-plugin dependency should not be present among the compile or runtime dependencies of the published SDK.
Possible Solution:
Remove the maven-gpg-plugin dependency declaration from the section of the sib-api-v3-sdk artifact's pom.xml published on Maven Central. If this plugin is necessary for your internal build/release process, it should be managed in the section of your POM, not in the library's dependencies.
Impact:
This issue causes the inclusion of approximately 1MB of unnecessary and potentially conflicting dependencies in the classpath of the library's users.
Thank you for your attention to this issue.