Java/Maven项目,如何导出项目中用到的Lib依赖及版本号清单,方便核对是否符合开源需求规范?
在Maven项目目录下,运行如下指令(-Dscope可以指定范围,本例中不会输出test及system相关的依赖,scope可选值:compile、provided 、 runtime 、 test、system):
mvn dependency:tree -DoutputType=text -Dscope=runtime | grep "\[INFO\] +- " | awk -F: '{print $2", "$4}' | sort | uniq
即可得到清单,例如:
commons-lang3, 3.12.0
fastjson, 2.0.10
guava, 31.1-jre
hibernate-core, 5.6.14.Final
jmockit, 1.9
junit-platform-launcher, 1.8.2
kafka-clients, 3.1.2
lombok, 1.18.24
pdfbox, 2.0.20
spring-boot-starter-data-jpa, 2.7.7
spring-boot-starter-data-mongodb, 2.7.7
spring-boot-starter-test, 2.7.7
spring-boot-starter-tomcat, 2.7.7
spring-boot-starter-validation, 2.7.7
spring-boot-starter-web, 2.7.7
spring-data-jpa, 2.7.6
spring-kafka, 2.8.4
springfox-swagger-ui, 2.9.2
springfox-swagger2, 2.9.2
validation-api, 2.0.1.Final
对于Node/NPM项目,可以用如下指令:
npm list --depth=0 | grep '+--' | awk '{print $2}' | sed 's/\(.*\)@/\1,/' | uniq | sort
或者以下指令:
grep -A 100 '"dependencies": {' package.json | grep -B 100 '}' | grep -o '"[^"]*": "[^"]*"' | sed 's/"//g' | sed 's/: /, /' | sort
导出外部依赖列表,例如:
@typescript-eslint/parser,5.59.6
@willsoto/nestjs-prometheus,5.1.2
axios,0.27.2
class-transformer,0.5.1