Is there a BOM that could (and should) be used? (fwiw, this was under documented last time I looked years ago, maybe it no longer is nowadays?)
Thomas Broyer /tɔ.ma.bʁwa.je/ <https://ipa-reader.com/?text=t%C9%94.ma.b%CA%81wa.je&voice=Mathieu> Le ven. 22 août 2025, 20:02, Tamás Cservenák <ta...@cservenak.net> a écrit : > Howdy, > > I was just checking downstream dependencies of Resolver 2.x and was > first surprised how many of them are: > > https://deps.dev/maven/org.apache.maven.resolver%3Amaven-resolver-api/2.0.10/dependents > > By inspecting, I discovered that MANY are in fact Maven 3 plugins (!), > building against some Maven 3.9.x version AND Resolver 2.0.x!!! > > By spot testing, I see these versions usually entered plugin projects > via automated dependency updates that were "green" and then (blindly) > merged. This is wrong! > > Resolver version in case Maven plugins should be kept in "lockstep" > with Maven plugin is built against (as those artifacts are swapped out > at runtime with runtime provided ones). This works based on the GA > exported by Maven Core. Maven 3 uses Resolver 1, so exported GAs are > based on Resolver 1.x, while Resolver 2.x introduces new artifacts but > also things like transport renames (http -> apache, new jdk transport, > etc). Basically, Resolver 2.x was NEVER meant to be used by Maven 3 > plugins! > > Automated updates done by dependabot and alike _work_ as Resolver 2.x > is strict regarding source and binary compatibility, see > https://maven.apache.org/resolver/upgrading-resolver.html but this > does not mean it is "right thing to do" (tm). > > Again, in case of Maven plugins major Maven dependencies usually need > to be kept in "lockstep" (fx if you build against Maven 3.9.11 you > should use Resolver 1.9.24). > > Maven 3 uses Resolver 1.x lineage, while Maven 4 uses Resolver 2.x lineage. > > Mixing two major versions should not happen! > > Thanks > T > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
