Howdy Yes, mvn4 has a bom (two of them to be more precise) but mvn3 does not.
This makes me think we'd need BOM (two of them) for mvn3 as well. Problem: mvn4 is able to consume BOM w/ classifier while mvn3 cannot, hence artifactID distinguish is needed. As BOM is different whoever you ask: reactor-only (would not help here) or "full stack" (is needed here). Thanks On Fri, Aug 22, 2025, 21:18 Thomas Broyer <t.bro...@gmail.com> wrote: > Is there a BOM that could (and should) be used? > > (fwiw, this was under documented last time I looked years ago, maybe it no > longer is nowadays?) > > Thomas Broyer > /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/> > <https://ipa-reader.com/?text=t%C9%94.ma.b%CA%81wa.je&voice=Mathieu> > > Le ven. 22 août 2025, 20:02, Tamás Cservenák <ta...@cservenak.net> a > écrit : > > > Howdy, > > > > I was just checking downstream dependencies of Resolver 2.x and was > > first surprised how many of them are: > > > > > https://deps.dev/maven/org.apache.maven.resolver%3Amaven-resolver-api/2.0.10/dependents > > > > By inspecting, I discovered that MANY are in fact Maven 3 plugins (!), > > building against some Maven 3.9.x version AND Resolver 2.0.x!!! > > > > By spot testing, I see these versions usually entered plugin projects > > via automated dependency updates that were "green" and then (blindly) > > merged. This is wrong! > > > > Resolver version in case Maven plugins should be kept in "lockstep" > > with Maven plugin is built against (as those artifacts are swapped out > > at runtime with runtime provided ones). This works based on the GA > > exported by Maven Core. Maven 3 uses Resolver 1, so exported GAs are > > based on Resolver 1.x, while Resolver 2.x introduces new artifacts but > > also things like transport renames (http -> apache, new jdk transport, > > etc). Basically, Resolver 2.x was NEVER meant to be used by Maven 3 > > plugins! > > > > Automated updates done by dependabot and alike _work_ as Resolver 2.x > > is strict regarding source and binary compatibility, see > > https://maven.apache.org/resolver/upgrading-resolver.html but this > > does not mean it is "right thing to do" (tm). > > > > Again, in case of Maven plugins major Maven dependencies usually need > > to be kept in "lockstep" (fx if you build against Maven 3.9.11 you > > should use Resolver 1.9.24). > > > > Maven 3 uses Resolver 1.x lineage, while Maven 4 uses Resolver 2.x > lineage. > > > > Mixing two major versions should not happen! > > > > Thanks > > T > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > For additional commands, e-mail: users-h...@maven.apache.org > > > > >
