Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0.8
-
None
Description
Currently, a plugin may define additional pluginRepositories, which are used to resolve dependencies of that plugin.
This leads to the fact that a plugin might resolve a dependency which would normally not be available to the project.
When it does that, it seems to write a metadata-central (although on the central repo this artifact does not exist) and thus, the project will use that dependency, too.
How to reproduce:
1. remove xstream from local repo:
rm -Rf ~/.m2/repository/com/thoughtworks/xstream
2. run mvn clean install on the attached pom.xml
-> the build should fail because the version 1.3.0-SNAPSHOT is not available at repo1.maven.org
3. edit the pom.xml, uncomment the plugin definition (jspc used for demonstration purposes only)
3. run mvn clean install again
-> the build succeeds and the 1.3.0-SNAPSHOT is being built into the artifact, which is wrong.