[jira] [Commented] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17555562#comment-17555562
 ] 

ASF GitHub Bot commented on MNG-6965:
-------------------------------------

michael-o opened a new pull request, #755:
URL: https://github.com/apache/maven/pull/755

   …jar:1.1 on their classpath
   
   This closes #367
   
   Following this checklist to help us incorporate your
   contribution quickly and easily:
   
    - [ ] Make sure there is a [JIRA 
issue](https://issues.apache.org/jira/browse/MNG) filed
          for the change (usually before you start working on it).  Trivial 
changes like typos do not
          require a JIRA issue. Your pull request should address just this 
issue, without
          pulling in other changes.
    - [ ] Each commit in the pull request should have a meaningful subject line 
and body.
    - [ ] Format the pull request title like `[MNG-XXX] SUMMARY`, where you 
replace `MNG-XXX`
          and `SUMMARY` with the appropriate JIRA issue. Best practice is to 
use the JIRA issue
          title in the pull request title and in the first line of the commit 
message.
    - [ ] Write a pull request description that is detailed enough to 
understand what the pull request does, how, and why.
    - [ ] Run `mvn clean verify` to make sure basic checks pass. A more 
thorough check will
          be performed on your pull request automatically.
    - [ ] You have run the [Core IT][core-its] successfully.
   
   If your pull request is about ~20 lines of code you don't need to sign an
   [Individual Contributor License 
Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
   please ask on the developers list.
   
   To make clear that you license your contribution under
   the [Apache License Version 2.0, January 
2004](http://www.apache.org/licenses/LICENSE-2.0)
   you have to acknowledge this by using the following check-box.
   
    - [ ] I hereby declare this contribution to be licenced under the [Apache 
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   
    - [ ] In any other case, please file an [Apache Individual Contributor 
License Agreement](https://www.apache.org/licenses/icla.pdf).
   
   [core-its]: https://maven.apache.org/core-its/core-it-suite/
   




> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their 
> classpath
> ------------------------------------------------------------------------------------
>
>                 Key: MNG-6965
>                 URL: https://issues.apache.org/jira/browse/MNG-6965
>             Project: Maven
>          Issue Type: Bug
>          Components: Plugins and Lifecycle
>    Affects Versions: 3.6.0, 3.6.3
>         Environment: Win7, Win10, at least one variant of Linux (not sure 
> which)
>            Reporter: Mark Nolan
>            Assignee: Sylwester Lachiewicz
>            Priority: Major
>              Labels: archetype
>             Fix For: 3.9.0-candidate, 4.0.0-alpha-1, 4.0.0
>
>         Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads 
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This 
> version is banned at my organization (edited to add: due to vulnerabilities), 
> meaning such a pom always fails.
>  
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0";
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
>   http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
>   <extensions> 
>     <extension>
>       <groupId>org.apache.maven.archetype</groupId>
>       <artifactId>archetype-packaging</artifactId>
>       <version>3.1.2</version>
>     </extension>
>   </extensions>
>   <pluginManagement>
>     <plugins>
>       <plugin>
>         <groupId>org.apache.maven.plugins</groupId>
>         <artifactId>maven-archetype-plugin</artifactId>
>         <version>3.1.2</version>
>       </plugin>
>     </plugins>
>   </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the 
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800, 
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1, 
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700, 
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, 
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1, 
> DefaultDependencyCollector.collectTime=66890900, 
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>  
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)