[ https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17163321#comment-17163321 ]
Mark Nolan commented on MNG-6965: --------------------------------- {quote}It's injected by [https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/plugin/internal/PlexusUtilsInjector.java] {quote} Well, having looked at that and read the comment in the code, I am left somewhat in disbelief! It is extraordinary to have such a fixed dependency. I realise that the situation of plexus-utils:1.1 being blocked may be a specific situation for my company, but we cannot be unique. That version is very old and it has multiple vulnerabilities. It isn't fit for purpose in a corporate environment. Indeed, we should all be avoiding vulnerable software and baking in such a dependency is a bad idea. But, in addition, this seems like a very poor way to solve the problem. If a plugin (in this case an extension, but I assume the same process applies) requires a dependency on plexus-utils, then that should be enforced, not slipped in under the covers. My proposals for resolving this would be, in order of preference: # This is required for Maven 2.x compatibility. Simply remove it. Maven 2 was EOL 2014. # If extensions continue to have an implicit dependency on plexus-utils, make it explicit. All extensions and plug-ins must declare such a dependency or fail. Change the injector to throw an exception if the dependency is not found. # If really worried about how many are using this implicit dependency, then at least make it respect any dependencyManagement declaration. In this case, that would result in 3.2.0 being used by archetype-packaging. # Add an explicit dependency to archetype-packaging so that the version of plexus-utils respects the version in the parent pom. I don't see "do nothing" as an option. > archetype-packaging.jar:3.1.2 requires > org.codehaus.plexus:plexus-utils:jar:1.1 > ------------------------------------------------------------------------------- > > Key: MNG-6965 > URL: https://issues.apache.org/jira/browse/MNG-6965 > Project: Maven > Issue Type: Bug > Components: Plugins and Lifecycle > Affects Versions: 3.6.0, 3.6.3 > Environment: Win7, Win10, at least one variant of Linux (not sure > which) > Reporter: Mark Nolan > Priority: Major > Labels: archetype > Attachments: pom.xml > > > A simple minimal archetype pom following the manual pages downloads > plexus-utils 1.1, even though it is not (apparently) declared anywhere. This > version is banned at my organization (edited to add: due to vulnerabilities), > meaning such a pom always fails. > > {code:xml} > <project xmlns="http://maven.apache.org/POM/4.0.0" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd"> > <modelVersion>4.0.0</modelVersion> > <groupId>test</groupId> > <artifactId>test</artifactId> > <version>0.0.1-SNAPSHOT</version> > <packaging>maven-archetype</packaging> > <name>test</name> > <build> > <extensions> > <extension> > <groupId>org.apache.maven.archetype</groupId> > <artifactId>archetype-packaging</artifactId> > <version>3.1.2</version> > </extension> > </extensions> > <pluginManagement> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-archetype-plugin</artifactId> > <version>3.1.2</version> > </plugin> > </plugins> > </pluginManagement> > </build> > </project> > {code} > Running any goal, such as mvn -X clean, produces the following before the > goal is executed: > {code} > [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, > ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, > ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, > ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, > ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, > DefaultDependencyCollector.collectTime=66890900, > DefaultDependencyCollector.transformTime=8523500} > [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2: > [DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime > {code} > > As far as I can see, there is no declared dependency on plexus-utils:1.1. > -- This message was sent by Atlassian Jira (v8.3.4#803005)