There’s a huge amount of complaining and problem solving for various
dependency management solutions (particularly maven, but ivy and friends
certainly aren’t immune). Problems range from having optional
dependencies unnecessarily included to having duplicate classes or
class conflicts and the solutions tend to be complex and involve a lot
of trade offs. All these problems stem from breaking the golden rule of
dependency management:
Own your own repository
Sutton’s golden rule of dependency management
The
vast majority, if not all, problems with dependency management comes
from having incorrect, conflicting or imprecise meta-data in the
repository of dependencies. Maintaining a public repository of perfectly
accurate, precise and flexible dependency metadata is next to
impossible there are just too many libraries and the
interrelationships are too complex. Fortunately, even extremely large
companies only use a tiny subset of these libraries. With the scope
reduced it’s much easier to ensure the metadata is correct and
consistent.
Any time you need to introduce a new dependency, very
carefully review the metadata associated it and correct any errors or
inconsistencies before importing it into the repository you administer
and control.
You don’t let anyone commit to your source code repository, don’t let anyone commit to your dependency repository either.