[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17161836#comment-17161836 ]
Dennis Lundberg edited comment on MNG-6965 at 7/21/20, 7:56 AM: ---------------------------------------------------------------- I guess that the reason it is banned is because of vulnerabilities? [https://snyk.io/vuln/maven:org.codehaus.plexus%3Aplexus-utils] A good way to find out from where a dependency is pulled in is to use this command on the project that is pulling the dependency in question. In this case archetype-packaging: {noformat} mvn dependency:tree {noformat} was (Author: dennisl): I guess that the reason it is banned because of vulnerabilities? https://snyk.io/vuln/maven:org.codehaus.plexus%3Aplexus-utils A good way to find out from where a dependency is pulled in is to use this command on the project that is pulling the dependency in question. In this case archetype-packaging: {noformat} mvn dependency:tree {noformat} > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > ------------------------------------------------------------------------------- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle > Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) > Reporter: Mark Nolan > Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization, meaning such a pom always fails. > {{<project xmlns="http://maven.apache.org/POM/4.0.0"}} > {{xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"}} > {{xsi:schemaLocation="http://maven.apache.org/POM/4.0.0}} > {{[http://maven.apache.org/xsd/maven-4.0.0.xsd]">}} > {{<modelVersion>4.0.0</modelVersion>}} > {{<groupId>test</groupId>}} > {{<artifactId>test</artifactId>}} > {{<version>0.0.1-SNAPSHOT</version>}} > {{<packaging>maven-archetype</packaging>}} > {{<name>test</name>}} > {{<build>}} > {{<extensions> }} > {{<extension>}} > {{<groupId>org.apache.maven.archetype</groupId>}} > {{<artifactId>archetype-packaging</artifactId>}} > {{<version>3.1.2</version>}} > {{</extension>}} > {{</extensions>}} > {{<pluginManagement>}} > {{<plugins>}} > {{<plugin>}} > {{<groupId>org.apache.maven.plugins</groupId>}} > {{<artifactId>maven-archetype-plugin</artifactId>}} > {{<version>3.1.2</version>}} > {{</plugin>}} > {{</plugins>}} > {{</pluginManagement>}} > {{</build>}} > {{</project>}} > > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {{[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500}}} > {{[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:}} > {{[DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime}} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)