Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-6965

Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.6.0, 3.6.3
    • Fix Version/s: 3.7.0
    • Component/s: Plugins and Lifecycle
    • Labels:
    • Environment:
      Win7, Win10, at least one variant of Linux (not sure which)

      Description

      A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.

       

      <project xmlns="http://maven.apache.org/POM/4.0.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
        http://maven.apache.org/xsd/maven-4.0.0.xsd">
      <modelVersion>4.0.0</modelVersion>
      <groupId>test</groupId>
      <artifactId>test</artifactId>
      <version>0.0.1-SNAPSHOT</version>
      <packaging>maven-archetype</packaging>
      <name>test</name>
      
      <build>
        <extensions> 
          <extension>
            <groupId>org.apache.maven.archetype</groupId>
            <artifactId>archetype-packaging</artifactId>
            <version>3.1.2</version>
          </extension>
        </extensions>
      
        <pluginManagement>
          <plugins>
            <plugin>
              <groupId>org.apache.maven.plugins</groupId>
              <artifactId>maven-archetype-plugin</artifactId>
              <version>3.1.2</version>
            </plugin>
          </plugins>
        </pluginManagement>
      </build>
      </project>
      

      Running any goal, such as mvn -X clean, produces the following before the goal is executed:

      [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
      [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
      [DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
      

       

      As far as I can see, there is no declared dependency on plexus-utils:1.1.

       

        Attachments

        1. pom.xml
          1 kB
          Mark Nolan

          Activity

            People

            • Assignee:
              slachiewicz Sylwester Lachiewicz
              Reporter:
              manolan Mark Nolan
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: