[jira] [Commented] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath

[Abel Salgado Romero (Jira)]

    [ 
https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17702532#comment-17702532
 ] 

Abel Salgado Romero commented on MNG-6965:
------------------------------------------

I just hit this upgrading our plugin CI to 3.9.1 and besd on this conversation 
is not cret to me if this is something that will be fixed or not. As reported, 
`plexus-utils` as `provided` is no longer working and we need to add as 
`compile` to fix it, but this is also stated as a invalid configuration. May I 
assume based on 
https://issues.apache.org/jira/browse/MNG-6965?focusedCommentId=17499735&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17499735
 this is be fixed in 3.9.2?

Thanks a lot for all the work!


> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their 
> classpath
> ------------------------------------------------------------------------------------
>
>                 Key: MNG-6965
>                 URL: https://issues.apache.org/jira/browse/MNG-6965
>             Project: Maven
>          Issue Type: Bug
>          Components: Plugins and Lifecycle
>    Affects Versions: 3.0-alpha-3, 3.0, 3.6.0, 3.6.3
>         Environment: Win7, Win10, at least one variant of Linux (not sure 
> which)
>            Reporter: Mark Nolan
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>              Labels: archetype
>             Fix For: 3.9.0, 4.0.0-alpha-2, 4.0.0
>
>         Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads 
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This 
> version is banned at my organization (edited to add: due to vulnerabilities), 
> meaning such a pom always fails.
>  
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0";
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
>   http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
>   <extensions> 
>     <extension>
>       <groupId>org.apache.maven.archetype</groupId>
>       <artifactId>archetype-packaging</artifactId>
>       <version>3.1.2</version>
>     </extension>
>   </extensions>
>   <pluginManagement>
>     <plugins>
>       <plugin>
>         <groupId>org.apache.maven.plugins</groupId>
>         <artifactId>maven-archetype-plugin</artifactId>
>         <version>3.1.2</version>
>       </plugin>
>     </plugins>
>   </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the 
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, 
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, 
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, 
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, 
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, 
> DefaultDependencyCollector.collectTime=66890900, 
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>  
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)