[MNG-6965] Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0-alpha-3, 3.0, 3.6.0, 3.6.3
Fix Version/s: 3.9.0, 4.0.0-alpha-2, 4.0.0
Component/s: Plugins and Lifecycle
Labels:
- archetype
Environment:
Win7, Win10, at least one variant of Linux (not sure which)

Description

A simple minimal archetype pom following the manual pages downloads plexus-utils 1.1, even though it is not (apparently) declared anywhere. This version is banned at my organization (edited to add: due to vulnerabilities), meaning such a pom always fails.

<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
  http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test</groupId>
<artifactId>test</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>maven-archetype</packaging>
<name>test</name>

<build>
  <extensions> 
    <extension>
      <groupId>org.apache.maven.archetype</groupId>
      <artifactId>archetype-packaging</artifactId>
      <version>3.1.2</version>
    </extension>
  </extensions>

  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-archetype-plugin</artifactId>
        <version>3.1.2</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>
</project>

Running any goal, such as mvn -X clean, produces the following before the goal is executed:

[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=66890900, DefaultDependencyCollector.transformTime=8523500}
[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
[DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime

As far as I can see, there is no declared dependency on plexus-utils:1.1.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

pom.xml
21/Jul/20 00:56
1 kB
Mark Nolan

Issue Links

causes

MSKINS-220 cannot build with Maven 3.9

Closed

fixes

MNG-7115 MavenITmng5771CoreExtensionsTest fails on maven-3.8.x branch

Closed

is broken by

MNG-2892 Use shade to hide the use of plexus-utils internally so that plugins can use their own version

Closed

relates to

MNG-7097 Plugin Dependency Resolution: don't download Maven-provided artifacts

Closed

supercedes

MNG-3819 [regression] Plugins that don't declare dependency on plexus-utils no longer get plexus-utils:1.1

Closed

links to

GitHub Pull Request #57

GitHub Pull Request #73

GitHub Pull Request #173

GitHub Pull Request #367

GitHub Pull Request #755

(5 links to)

Activity

People

Assignee:: Sylwester Lachiewicz

Reporter:: Mark Nolan

Votes:: 1 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: 21/Jul/20 00:59

Updated:: 27/Mar/23 22:05

Resolved:: 05/Oct/20 07:08