hazendaz opened a new issue, #11693: URL: https://github.com/apache/maven/issues/11693
### Affected version 4.0.0-rc-5 ### Bug description In Maven 3, I can change the POM namespace to use HTTPS instead of HTTP. I do this deliberately so that automated scans can detect potential HTTP usage without triggering false positives for the canonical Maven POM namespace. The release plugin in Maven 3 provides a flag <addSchema>false</addSchema> to ignore this change, which has worked reliably for years. In Maven 4, however, the same POM fails with: ``` org.apache.maven.api.services.xml.XmlReaderException: Unable to read model: Unknown attribute 'schemaLocation' for tag 'project' ``` Example POM snippet that is valid in Maven 3: ``` <project xmlns="https://maven.apache.org/POM/4.0.0"; xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="https://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd";> ``` Problem: Maven 4 is stricter in validating the xsi:schemaLocation and does not allow the namespace to use HTTPS. This breaks valid XML and creates unnecessary friction for teams trying to avoid HTTP usage in code audits. There is no flag or property in maven.config to bypass this validation, unlike Maven 3’s workaround with the release plugin. Proposed improvement: Maven should allow the POM namespace to use either http or https while still validating the POM, or provide a global flag in maven.config that disables strict schema validation for the POM entirely. This would: 1. Reduce false positives when scanning for HTTP URLs. 2. Maintain backward compatibility for teams using HTTPS namespaces. 3. Avoid requiring widespread removal or modification of xsi:schemaLocation in hundreds of POMs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
