It's dependency:resolve-plugins that's wrong. What you can do is run a Maven build with the -X flag and look at the beginning of the maven-jar-plugin execution. There you should see the resolved tree of the plugin's dependencies.
/Anders On Wed, May 8, 2019 at 11:18 AM Eric Lilja <mindcoo...@gmail.com> wrote: > Hi, and thanks for the answers! We (and many others I'm sure) are happy to > see new releases as soon as possible, of course :-) > > Anders: Thanks for the workaround, I implemented it in our corporate pom > for maven-jar-plugin and maven-source-plugin, plus maven-javadoc-plugin. > Then I wiped out .m2/repository and built the corporate parent and then one > of our smaller projects (which had been changed to use the new parent > version). I could see it downloaded version 4.1.0 of plexus-archiver, along > with 3.3, 3.4, 3.5, 3.6.0, and 3.7.0 (it was simple mvn clean install, > which also builds a source-jar and javadocs). > > However, when I do: dependency:resolve-plugins, I get: > [INFO] > org.apache.maven.plugins:maven-jar-plugin:maven-plugin:3.1.1:runtime > [INFO] org.apache.maven.plugins:maven-jar-plugin:jar:3.1.1 > [INFO] org.apache.maven:maven-plugin-api:jar:3.0 > [INFO] org.apache.maven:maven-model:jar:3.0 > [INFO] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2 > [INFO] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2 > [INFO] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7 > [INFO] org.apache.maven:maven-core:jar:3.0 > [INFO] org.apache.maven:maven-settings:jar:3.0 > [INFO] org.apache.maven:maven-settings-builder:jar:3.0 > [INFO] org.apache.maven:maven-repository-metadata:jar:3.0 > [INFO] org.apache.maven:maven-model-builder:jar:3.0 > [INFO] org.apache.maven:maven-aether-provider:jar:3.0 > [INFO] org.sonatype.aether:aether-impl:jar:1.7 > [INFO] org.sonatype.aether:aether-spi:jar:1.7 > [INFO] org.sonatype.aether:aether-api:jar:1.7 > [INFO] org.sonatype.aether:aether-util:jar:1.7 > [INFO] org.codehaus.plexus:plexus-interpolation:jar:1.14 > [INFO] org.codehaus.plexus:plexus-classworlds:jar:2.2.3 > [INFO] org.codehaus.plexus:plexus-component-annotations:jar:1.7.1 > [INFO] org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3 > [INFO] org.sonatype.plexus:plexus-cipher:jar:1.4 > [INFO] org.apache.maven:maven-artifact:jar:3.0 > [INFO] org.apache.maven:maven-archiver:jar:3.3.0 > [INFO] org.apache.maven.shared:maven-shared-utils:jar:3.2.1 > [INFO] commons-io:commons-io:jar:2.5 > [INFO] org.codehaus.plexus:plexus-archiver:jar:3.7.0 <------ > [INFO] org.codehaus.plexus:plexus-io:jar:3.1.0 > [INFO] org.apache.commons:commons-compress:jar:1.18 > [INFO] org.iq80.snappy:snappy:jar:0.4 > [INFO] org.tukaani:xz:jar:1.8 > [INFO] org.codehaus.plexus:plexus-utils:jar:3.1.0 > > Here's it still listing 3.7.0 of plexus-archiver, did it not work or does > dependency:resolve-plugins fail to pick up version overrides? Same behavior > for maven-source-plugin and maven-javadoc-plugin, both list their original > dependencies in dependency:resolve-plugins > > (Unrelated question: Is the order of dependencies random in the above list > or is it classpath order? If it's random, it would be better if it was > sorted, so it's easy for the human eye to scan for a particular dependency) > > - Eric L > > On Tue, May 7, 2019 at 9:16 PM Anders Hammar <and...@hammar.net> wrote: > > > Checking m-jar-p, what is needed is an upgrade of plexus-archiver to > > version 4.0.0+ as it includes an upgraded dependency to plexus-io v3.1.1. > > See [1]. > > If you include m-jar-p in the pluginManagement section of your corporate > > parent-POM, you could bump this on the existing maven-jar-plugin v3.1.1 > > like this: > > <plugin> > > <groupId>org.apache.maven.plugins</groupId> > > <artifactId>maven-jar-plugin</artifactId> > > <version>3.1.1</version> > > <dependencies> > > <dependency> > > <groupId>org.codehaus.plexus</groupId> > > <artifactId>plexus-archiver</artifactId> > > <version>4.1.0</version> > > </dependency> > > </dependencies> > > </plugin> > > > > [1] > > > > > https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md#plexus-archiver-400 > > > > /Anders > > > > On Tue, May 7, 2019 at 8:07 PM Eric Lilja <mindcoo...@gmail.com> wrote: > > > > > Hi, in my organization we're seeing big increases in build time using > > newer > > > versions of maven-jar-plugin and maven-sources-plugin, because those > > > plugins are affected by a bug in plexus-io. > > > > > > The issue in plexus-io has been fixed since some time: [1] and I > > believe a > > > release has been made of relevant plexus components containing the fix > > (but > > > I might be wrong about that). > > > > > > However, both MJAR-259 [2] and MSOURCES-119 [3] are still open. When > can > > we > > > expect new releases of these two plugins (and other plugins/components > > > affected by the same issue)? Is something block the release or no one > > > simply got around to it yet? > > > > > > We're trying to stay current and modern in our little eco-system at > work, > > > but this issue is holding us back on older versions of aforementioned > > > plugins. > > > > > > Thanks for your time! > > > > > > - Eric L > > > > > > [1] https://github.com/codehaus-plexus/plexus-io/pull/17 > > > [2] https://issues.apache.org/jira/browse/MJAR-259 > > > [3] https://issues.apache.org/jira/browse/MSOURCES-119 > > > > > >