[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
------------------------------------
was (Author: hudson):
Build succeeded in Jenkins: Maven » Maven TLP » maven » master #63
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/master/63/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
> ------------------------------------------------------------------------------------
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
> Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
> Reporter: Mark Nolan
> Assignee: Sylwester Lachiewicz
> Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> <project xmlns="http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>test</groupId>
> <artifactId>test</artifactId>
> <version>0.0.1-SNAPSHOT</version>
> <packaging>maven-archetype</packaging>
> <name>test</name>
> <build>
> <extensions>
> <extension>
> <groupId>org.apache.maven.archetype</groupId>
> <artifactId>archetype-packaging</artifactId>
> <version>3.1.2</version>
> </extension>
> </extensions>
> <pluginManagement>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-archetype-plugin</artifactId>
> <version>3.1.2</version>
> </plugin>
> </plugins>
> </pluginManagement>
> </build>
> </project>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG] org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
