[
https://issues.apache.org/jira/browse/COMMONSSITE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hochan Kang updated COMMONSSITE-181:
------------------------------------
Description:
Description:
The Maven metadata file for *commons-io* currently lists an outdated version
(20030203.000550) as both <latest> and <release>:
{code:java}
<latest>20030203.000550</latest>
<release>20030203.000550</release>{code}
The full metadata can be seen here:
[https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml]
Since this legacy version is numerically larger than current versions (e.g.
2.21.0), Maven interprets it as the “highest” version.
As a result, when version ranges such as [2.4,) are used, Maven resolves the
dependency to commons-io:commons-io:20030203.000550 instead of the expected 2.x
release.
*Steps to Reproduce:*
Create a Maven project with:
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>[2.4,)</version>
</dependency>
(nimbus-jose-jwt 4.16.1 use commons-io like this)
Run mvn dependency:tree.
Maven resolves the dependency to version 20030203.000550.
*Expected Result:*
Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
*Actual Result:*
Maven resolves to 20030203.000550 because it is considered numerically higher.
*Notes:*
This may not be a direct Commons IO issue but rather a metadata ordering issue
inherited from legacy timestamp-based versions in Maven Central.
Please advise whether this can be corrected within the Commons project’s
release metadata, or whether it should be raised with Apache Infrastructure /
Sonatype OSSRH.
was:
Description:
The Maven metadata file for *commons-io* currently lists an outdated version
(20030203.000550) as both <latest> and <release>:
{code:java}
<latest>20030203.000550</latest>
<release>20030203.000550</release>{code}
The full metadata can be seen here:
[https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml]
Since this legacy version is numerically larger than current versions (e.g.
2.21.0), Maven interprets it as the “highest” version.
As a result, when version ranges such as [2.4,) are used, Maven resolves the
dependency to commons-io:commons-io:20030203.000550 instead of the expected 2.x
release.
*Steps to Reproduce:*
Create a Maven project with:
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>[2.4,)</version>
</dependency>
(nimbus-jose-jwt use commons-io like this)
Run mvn dependency:tree.
Maven resolves the dependency to version 20030203.000550.
*Expected Result:*
Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
*Actual Result:*
Maven resolves to 20030203.000550 because it is considered numerically higher.
*Notes:*
This may not be a direct Commons IO issue but rather a metadata ordering issue
inherited from legacy timestamp-based versions in Maven Central.
Please advise whether this can be corrected within the Commons project’s
release metadata, or whether it should be raised with Apache Infrastructure /
Sonatype OSSRH.
> Clarification: latest value in Maven metadata points to legacy timestamp
> version (20030203.000550)
> --------------------------------------------------------------------------------------------------
>
> Key: COMMONSSITE-181
> URL: https://issues.apache.org/jira/browse/COMMONSSITE-181
> Project: Apache Commons All
> Issue Type: Improvement
> Components: Commons Build
> Reporter: Hochan Kang
> Priority: Major
>
> Description:
> The Maven metadata file for *commons-io* currently lists an outdated version
> (20030203.000550) as both <latest> and <release>:
> {code:java}
> <latest>20030203.000550</latest>
> <release>20030203.000550</release>{code}
> The full metadata can be seen here:
> [https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml]
> Since this legacy version is numerically larger than current versions (e.g.
> 2.21.0), Maven interprets it as the “highest” version.
> As a result, when version ranges such as [2.4,) are used, Maven resolves the
> dependency to commons-io:commons-io:20030203.000550 instead of the expected
> 2.x release.
> *Steps to Reproduce:*
> Create a Maven project with:
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>[2.4,)</version>
> </dependency>
> (nimbus-jose-jwt 4.16.1 use commons-io like this)
> Run mvn dependency:tree.
> Maven resolves the dependency to version 20030203.000550.
> *Expected Result:*
> Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
> *Actual Result:*
> Maven resolves to 20030203.000550 because it is considered numerically higher.
> *Notes:*
> This may not be a direct Commons IO issue but rather a metadata ordering
> issue inherited from legacy timestamp-based versions in Maven Central.
> Please advise whether this can be corrected within the Commons project’s
> release metadata, or whether it should be raised with Apache Infrastructure /
> Sonatype OSSRH.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
