[
https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17163321#comment-17163321
]
Mark Nolan commented on MNG-6965:
---------------------------------
{quote}It's injected by
[https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/plugin/internal/PlexusUtilsInjector.java]
{quote}
Well, having looked at that and read the comment in the code, I am left
somewhat in disbelief! It is extraordinary to have such a fixed dependency.
I realise that the situation of plexus-utils:1.1 being blocked may be a
specific situation for my company, but we cannot be unique. That version is
very old and it has multiple vulnerabilities. It isn't fit for purpose in a
corporate environment. Indeed, we should all be avoiding vulnerable software
and baking in such a dependency is a bad idea.
But, in addition, this seems like a very poor way to solve the problem. If a
plugin (in this case an extension, but I assume the same process applies)
requires a dependency on plexus-utils, then that should be enforced, not
slipped in under the covers.
My proposals for resolving this would be, in order of preference:
# This is required for Maven 2.x compatibility. Simply remove it. Maven 2 was
EOL 2014.
# If extensions continue to have an implicit dependency on plexus-utils, make
it explicit. All extensions and plug-ins must declare such a dependency or
fail. Change the injector to throw an exception if the dependency is not found.
# If really worried about how many are using this implicit dependency, then at
least make it respect any dependencyManagement declaration. In this case, that
would result in 3.2.0 being used by archetype-packaging.
# Add an explicit dependency to archetype-packaging so that the version of
plexus-utils respects the version in the parent pom.
I don't see "do nothing" as an option.
> archetype-packaging.jar:3.1.2 requires
> org.codehaus.plexus:plexus-utils:jar:1.1
> -------------------------------------------------------------------------------
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Bug
> Components: Plugins and Lifecycle
> Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
> Reporter: Mark Nolan
> Priority: Major
> Labels: archetype
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
> <extensions>
> <extension>
> <groupId>org.apache.maven.archetype</groupId>
> <artifactId>archetype-packaging</artifactId>
> <version>3.1.2</version>
> </extension>
> </extensions>
> <pluginManagement>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-archetype-plugin</artifactId>
> <version>3.1.2</version>
> </plugin>
> </plugins>
> </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
