Gemfile.lock equivalent in Maven and gradle

Question

As Maven (client) and IvyResolver (used by Gradle) Bundler solves libraries dependencies that was declared on configuration file (Gemfile for bundler). However, after that Bundler saves dependency resolution on Gemfile.lock. It allows other developers use exactly the same libraries.

For instance, Maven use a determinist by not clear way to resolve conflict in dependency resolution. For example, specifying version as ...

<version>1.0.1</version>

is not guarantee that version will be used. And specifying version as ...

<version>[1.0.0,2.0.0)</version>

give us almost no guarantee.

Yes, I could write manually all versions listed by

mvn dependency:resolve

But, is there any automatic way to do that?

To be very clear: is there any equivalent to Gemfile.lock in Maven or Gradle?

---

Java developers, if you are not familiar with Gemfile.lock, Bundler, please check:

http://bundler.io/v1.3/rationale.html

The important part I copy below:

Checking Your Code into Version Control

After developing your application for a while, check in the application together with the Gemfile and Gemfile.lock snapshot. Now, your repository has a record of the exact versions of all of the gems that you used the last time you know for sure that the application worked. Keep in mind that while your Gemfile lists only three gems (with varying degrees of version strictness), your application depends on dozens of gems, once you take into consideration all of the implicit requirements of the gems you depend on.

This is important: the Gemfile.lock makes your application a single package of both your own code and the third-party code it ran the last time you know for sure that everything worked. Specifying exact versions of the third-party code you depend on in your Gemfile would not provide the same guarantee, because gems usually declare a range of versions for their dependencies.

The next time you run bundle install on the same machine, bundler will see that it already has all of the dependencies you need, and skip the installation process.

"You are not correct. Maven can garantee the version"

Yes, right. If you have a version declared in the very pom.xml, maven uses it. But, if it was declared in parent pom, this garantee is vanished.

Dependency mediation - this determines what version of a dependency will be used when multiple versions of an artifact are encountered. Currently, Maven 2.0 only supports using the "nearest definition" which means that it will use the version of the closest dependency to your project in the tree of dependencies. You can always guarantee a version by declaring it explicitly in your project's POM. Note that if two dependency versions are at the same depth in the dependency tree, until Maven 2.0.8 it was not defined which one would win, but since Maven 2.0.9 it's the order in the declaration that counts: the first declaration wins.

"nearest definition" means that the version used will be the closest one to your project in the tree of dependencies, eg. if dependencies for A, B, and C are defined as A -> B -> C -> D 2.0 and A -> E -> D 1.0, then D 1.0 will be used when building A because the path from A to D through E is shorter. You could explicitly add a dependency to D 2.0 in A to force the use of D 2.0

Oh, looks like this is the opposite of DRY principle.

Answer 1

The nebula.gradle-dependency-lock plugin does just that.

PS: Gradle doesn't use Ivy anymore (if that's what you mean by IvyResolver).