Use parent pom requireUpperBoundDeps configuration

[MarkEWaite]

Use parent pom requireUpperBoundDeps configuration

jenkinsci/bom#2680 notes that with requireUpperBoundDeps.level=WARN we miss cases where upper bounds checks could have detected an issue earlier.

Let's switch to use the requireUpperBoundDeps configuration provided by the parent pom.

Testing done

I confirmed that mvn help:effective-pom before this change includes the <level>WARN</level>.

After this change it does not include <level>WARN</level> but does include the other settings for requireUpperBoundDeps.

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[MarkEWaite]

@basil I think this is what was intended as part (b) of the notes in jenkinsci/bom#2680 (comment) . Unfortunately, I'm not able to duplicate the requireUpperBounds error with archUnit that needs to be fixed in part (a). Can you provide some additional guidance on how I can see that failure from one of the repositories that is using the analysis-pom as a parent?

I've attempted with analysis-pom-plugin, data-tables-api-plugin, echarts-api-plugin, prism-api-plugin, and warnings-ng-plugin using a snapshot of the analysis-pom from this pull request, but am unable to see any requireUpperBounds error

[MarkEWaite]

Workaround proposed for bom in:

• Avoid data-tables, echarts, and prism upper bounds error bom#2682

[uhafner]

I don't agree with this solution. From my experience, such enforcer messages are just warnings, like compiler warnings. Such warnings should not fail a build. Typically, the enforcer produces too much noise without actually finding a real problem. In practice, the enforcer did not yet catch a real bug in my plugins since we enabled it in Jenkins. It just caused a lot of pain and superfluous work. So I decided to lower the severity for more than 3 years now, without noticing a "real" problem in production.

Unfortunately, I'm not able to duplicate the requireUpperBounds error with archUnit that needs to be fixed in part (a).

I also do not see any warnings from the enforcer, in which module do they occur?

[basil]

Can you provide some additional guidance on how I can see that failure from one of the repositories that is using the analysis-pom as a parent?

The error can be reproduced using mvn clean verify -Dmaven-enforcer-plugin.version=3.2.1. Newer versions of Enforcer seem to have a different algorithm that doesn't produce a warning in this case, but PCT uses a (copypasta) version of the older algorithm pending jenkinsci/maven-hpi-plugin#391.

I don't agree with this solution.

Thanks so much for your contribution @uhafner !

[uhafner]

The underlying problem is now tracked as https://issues.jenkins.io/browse/JENKINS-72392.

It would make more sense to fix the wrong dependency version in the dependencyManagement section of the analysis-pom.