[jira] [Commented] (COMMONSSITE-181) Clarification: latest value in Maven metadata points to legacy timestamp version (20030203.000550)

Tue, 11 Nov 2025 06:48:08 -0800 


    [ 
https://issues.apache.org/jira/browse/COMMONSSITE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037466#comment-18037466
 ] 

Gilles Sadowski commented on COMMONSSITE-181:
---------------------------------------------

Thanks for the detailed report.
Someone else opened another one about the same issue: IO-881.
Could you please copy over there the valuable information which you've provided 
in the description?

> Clarification: latest value in Maven metadata points to legacy timestamp 
> version (20030203.000550)
> --------------------------------------------------------------------------------------------------
>
>                 Key: COMMONSSITE-181
>                 URL: https://issues.apache.org/jira/browse/COMMONSSITE-181
>             Project: Apache Commons All
>          Issue Type: Improvement
>          Components: Commons Build
>            Reporter: Hochan Kang
>            Priority: Major
>
> Description:
> The Maven metadata file for *commons-io* currently lists an outdated version 
> (20030203.000550) as both <latest> and <release>:
> {code:java}
> <latest>20030203.000550</latest>
> <release>20030203.000550</release>{code}
> The full metadata can be seen here: 
> [https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml] 
> Since this legacy version is numerically larger than current versions (e.g. 
> 2.21.0), Maven interprets it as the “highest” version.
> As a result, when version ranges such as [2.4,) are used, Maven resolves the 
> dependency to commons-io:commons-io:20030203.000550 instead of the expected 
> 2.x release.
> *Steps to Reproduce:*
> Create a Maven project with:
> <dependency>
>     <groupId>commons-io</groupId>
>     <artifactId>commons-io</artifactId>
>     <version>[2.4,)</version>
> </dependency>
> (nimbus-jose-jwt 4.16.1 use commons-io like this)
> Run mvn dependency:tree.
> Maven resolves the dependency to version 20030203.000550.
> *Expected Result:*
> Maven should resolve to the most recent 2.x release, e.g. 2.21.0.
> *Actual Result:*
> Maven resolves to 20030203.000550 because it is considered numerically higher.
> *Notes:*
> This may not be a direct Commons IO issue but rather a metadata ordering 
> issue inherited from legacy timestamp-based versions in Maven Central.
> Please advise whether this can be corrected within the Commons project’s 
> release metadata, or whether it should be raised with Apache Infrastructure / 
> Sonatype OSSRH.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to