I got the file, and the test case there is the following (minimal pom
below):
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>[2.7.2]</version>
</dependency>
It causes Maven resolution to fail (see log below) when running something
like "mvn dependency:tree".
Frankly speaking, it is a bit strange to see version declaration like
[2.7.2] (why not just 2.7.2 without version ranges?)
However, it is a valid version declaration, so it might appear in practice.
The workaround is to use <version>2.7.2</version>, however, it won't
protect the project from accidentally using 2.7.3.
An alternative option is to just use 2.7.3, and add dependency on
xalan:serializer:2.7.3 side by side with xalan:xalan:2.7.3.
Both workarounds should fix the issue for the particular users, however, it
sounds devastating :(
I would say Maven could do better when resolving a range that is known to
have a single version only.
Maven could skip a query to maven-metadata.xml in that case.
However, we really need to update maven-metadata.xml somehow.
I will ask Sonatype to update maven-metadata.xml at Central, and then we
need to ask INFRA to restore old Xalan jars at repository.apache.org
The worst thing is that xalan 2.7.2 is no longer present at
repository.apache.org:
https://repository.apache.org/service/local/repositories/releases/content/xalan/xalan/2.7.2/xalan-2.7.2.pom
We basically lost a release artifact.
That might explain the reason maven-metadata.xml at repository.apache.org
misses 2.7.2 version (and the previous ones),
and it probably got synchronized to Central which caused the resolution
issue.
[INFO] Building Xalan-Issue-Reproducer 1.0.0
[INFO] --------------------------------[ jar
]---------------------------------
Downloading from central:
https://repo.maven.apache.org/maven2/xalan/xalan/maven-metadata.xml
Downloaded from central:
https://repo.maven.apache.org/maven2/xalan/xalan/maven-metadata.xml (317 B
at 381 B/s)
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 1.096 s
[INFO] Finished at: 2023-05-16T18:09:39+03:00
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal on project xalan-issue-reproducer: Could not
resolve dependencies for project
com.example:xalan-issue-reproducer:jar:1.0.0: Failed to collect
dependencies at xalan:xalan:jar:[2.7.2,2.7.2]: No versions available for
xalan:xalan:jar:[2.7.2,2.7.2] within specified range -> [Help 1]
<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>xalan-issue-reproducer</artifactId>
<version>1.0.0</version>
<name>Xalan-Issue-Reproducer</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>[2.7.2]</version>
</dependency>
</dependencies>
</project>
Vladimir
