[
https://issues.apache.org/jira/browse/COMMONSSITE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hochan Kang updated COMMONSSITE-181:
------------------------------------
Description:
Description:
The Maven metadata file for *commons-io* currently lists an outdated version
(20030203.000550) as both <latest> and <release>:
{code:java}
<latest>20030203.000550</latest>
<release>20030203.000550</release>{code}
The full metadata can be seen here:
https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xmlSince
this legacy version is numerically larger than current versions (e.g. 2.21.0),
Maven interprets it as the “highest” version.
As a result, when version ranges such as [2.4,) are used, Maven resolves the
dependency to commons-io:commons-io:20030203.000550 instead of the expected 2.x
release.
*Steps to Reproduce:*
Create a Maven project with:
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>[2.4,)</version>
</dependency>
(jwt-jose-nimbus use commons-io like this)
Run mvn dependency:tree.
Maven resolves the dependency to version 20030203.000550.
*Expected Result:*
Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
*Actual Result:*
Maven resolves to 20030203.000550 because it is considered numerically higher.
*Notes:*
This may not be a direct Commons IO issue but rather a metadata ordering issue
inherited from legacy timestamp-based versions in Maven Central.
Please advise whether this can be corrected within the Commons project’s
release metadata, or whether it should be raised with Apache Infrastructure /
Sonatype OSSRH.
was:
It seems that the {{maven-metadata.xml}} file for *Apache Commons IO* contains
an incorrect {{versioning.latest}} value.
The file at:
[https://repo.maven.apache.org/maven2/commons-io/commons-io/maven-metadata.xml]
currently shows:
{code:java}
<versioning>
<latest>20030203.000550</latest>
</versioning> {code}
!image-2025-11-11-23-05-21-162.png|width=969,height=534!
This value appears to point to an old legacy version, while the latest release
should be 2.21.0 (as listed on Maven Central and the Commons IO website).
This incorrect metadata can cause build issues for Maven-based projects that
rely on the "latest" version resolution instead of specifying an explicit
version.
----
*Steps to Reproduce:*
Create a simple Maven project without specifying a version for commons-io
dependency.
Run mvn dependency:tree or build the project.
Maven resolves commons-io:commons-io:20030203.000550 as the latest version.
----
*Expected Result:*
versioning.latest should reflect the most recent stable release, e.g. 2.21.0.
*Actual Result:*
versioning.latest is set to 20030203.000550, which causes Maven to download an
outdated version and may lead to compilation errors.
----
*Additional Info:*
This issue affects Maven projects that omit an explicit version for Commons IO
dependencies.
> Clarification: latest value in Maven metadata points to legacy timestamp
> version (20030203.000550)
> --------------------------------------------------------------------------------------------------
>
> Key: COMMONSSITE-181
> URL: https://issues.apache.org/jira/browse/COMMONSSITE-181
> Project: Apache Commons All
> Issue Type: Improvement
> Components: Commons Build
> Reporter: Hochan Kang
> Priority: Major
> Attachments: image-2025-11-11-23-05-21-162.png
>
>
> Description:
> The Maven metadata file for *commons-io* currently lists an outdated version
> (20030203.000550) as both <latest> and <release>:
> {code:java}
> <latest>20030203.000550</latest>
> <release>20030203.000550</release>{code}
> The full metadata can be seen here:
> https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xmlSince
> this legacy version is numerically larger than current versions (e.g.
> 2.21.0), Maven interprets it as the “highest” version.
> As a result, when version ranges such as [2.4,) are used, Maven resolves the
> dependency to commons-io:commons-io:20030203.000550 instead of the expected
> 2.x release.
> *Steps to Reproduce:*
> Create a Maven project with:
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>[2.4,)</version>
> </dependency>
> (jwt-jose-nimbus use commons-io like this)
> Run mvn dependency:tree.
> Maven resolves the dependency to version 20030203.000550.
> *Expected Result:*
> Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
> *Actual Result:*
> Maven resolves to 20030203.000550 because it is considered numerically higher.
> *Notes:*
> This may not be a direct Commons IO issue but rather a metadata ordering
> issue inherited from legacy timestamp-based versions in Maven Central.
> Please advise whether this can be corrected within the Commons project’s
> release metadata, or whether it should be raised with Apache Infrastructure /
> Sonatype OSSRH.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
