[jira] [Commented] (IO-881) 20030203.000550 is now latest version in Maven

Tue, 11 Nov 2025 06:54:07 -0800 


    [ 
https://issues.apache.org/jira/browse/IO-881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037469#comment-18037469
 ] 

Hochan Kang commented on IO-881:
--------------------------------

https://issues.apache.org/jira/browse/COMMONSSITE-181 

*Description:*
The Maven metadata file for *commons-io* currently lists an outdated version 
(20030203.000550) as both <latest> and <release>:
{code:java}
<latest>20030203.000550</latest>
<release>20030203.000550</release>{code}
The full metadata can be seen here: 
[https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml] 
Since this legacy version is numerically larger than current versions (e.g. 
2.21.0), Maven interprets it as the “highest” version.

As a result, when version ranges such as [2.4,) are used, Maven resolves the 
dependency to commons-io:commons-io:20030203.000550 instead of the expected 2.x 
release.

*Steps to Reproduce:*

Create a Maven project with:

<dependency>
    <groupId>commons-io</groupId>
    <artifactId>commons-io</artifactId>
    <version>[2.4,)</version>
</dependency>

(nimbus-jose-jwt 4.16.1 use commons-io like this)

Run mvn dependency:tree.

Maven resolves the dependency to version 20030203.000550.

*Expected Result:*
Maven should resolve to the most recent 2.x release, e.g. 2.21.0.

*Actual Result:*
Maven resolves to 20030203.000550 because it is considered numerically higher.

*Notes:*
This may not be a direct Commons IO issue but rather a metadata ordering issue 
inherited from legacy timestamp-based versions in Maven Central.
Please advise whether this can be corrected within the Commons project’s 
release metadata, or whether it should be raised with Apache Infrastructure / 
Sonatype OSSRH.

> 20030203.000550 is now latest version in Maven
> ----------------------------------------------
>
>                 Key: IO-881
>                 URL: https://issues.apache.org/jira/browse/IO-881
>             Project: Commons IO
>          Issue Type: Bug
>    Affects Versions: 2.21.0
>            Reporter: Alexander Veit
>            Priority: Critical
>
> With 2.21.0 the latest version in Maven has changed to 
> `{color:#000000}20030203.000550{color}` which is wrong.
>  
> See https://repo1.maven.org/maven2/commons-io/commons-io/maven-metadata.xml



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to