Actually plexus-component-metadata is a Maven plugin, and Maven plugins can't have a generic 'debian' or '1.x' version (Maven refuses to load the plugin because the version of the pom mismatches the version in the plugin metadata).
Packages depending on libplexus-component-metadata-java should use a rule like this one: org.codehaus.plexus plexus-component-metadata maven-plugin s/1.7/1.5.5/ Emmanuel Bourg