maven-deploy-plugin is included as a transitive dependency in 1.7.1

[myuwono]

Hi All,

I wonder if the inclusion of maven-deploy-plugin in the 1.7.1 release intended?

https://github.com/splunk/splunk-sdk-java/blob/master/pom.xml#L34-L39

We realized this because our security scanner picked that up in the deployment bundle. Right now we needed to explicitly exclude this in our pom, to prevent this from being included. i.e.

        <!-- Splunk -->
        <dependency>
            <groupId>com.splunk</groupId>
            <artifactId>splunk</artifactId>
            <version>1.7.1</version>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-deploy-plugin</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Thanks!

[bparmar-splunk]

Hi @myuwono,
Thanks for posting this.

Yes, it was intentionally kept earlier with regards to SDK v1.7.0, because we have skipped parent pom deployment and only deployment of splunk (child module) was targeted.
But in recent version (i.e. v1.7.1), we had deployed parent module, due to missing dependencies in child.

So as a part of next release, we are planning to add deploy plugin in parent and remove it from splunk module.

[bparmar-splunk]

We have successfully released Java SDK new version 1.8.0.
This issue is already been part of this release.
Hence, closing this ticket.