project of type maven-archetype tries to download plexus-tools:1.1

Question

I have a simple archetype project. When using even mvn clean, it tries to download plexus-utils:1.1, which is prohibited from my company's repo due to vulnerabilities.

I have been through the various artefacts checking for a dependency on this version and found none. The only dependency I can find is on plexus-utils:3.2.0.

On my personal laptop, if I delete all versions of plexus-utils from my local repo, it downloads 1.1 before downloading other versions later (for the clean plugin, or the archetype plugin etc).

Can anyone help me work out why it tries to download that version of plexus-utils?

pom.xml

...
    maven-archetype
...

    
        
            
                org.apache.maven.archetype
                archetype-packaging
                3.1.2
            
        

        
            
                
                    org.apache.maven.plugins
                    maven-archetype-plugin
                    3.1.2

result of mvn -X clean

Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T19:41:47+01:00)
Maven home: C:
o-space-paths\apache-maven-3.6.0\bin\..
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_192\jre
Default locale: en_GB, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
[DEBUG] Created new class realm maven.api
[DEBUG] Importing foreign packages into class realm maven.api
[DEBUG]   Imported: javax.annotation.* < plexus.core

... snip ...

[DEBUG]   Imported: org.codehaus.classworlds < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.* < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.classworlds < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.component < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.configuration < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.container < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.context < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.lifecycle < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.logging < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.personality < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.Xpp3Dom < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlPullParser < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlPullParserException < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlSerializer < plexus.core
[DEBUG]   Imported: org.eclipse.aether.* < plexus.core

... snip ...

[DEBUG]   Imported: org.slf4j.spi.* < plexus.core
[DEBUG] Populating class realm maven.api
[INFO] Error stacktraces are turned on.

... snip ...

[INFO] Scanning for projects...
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=759600, ConflictMarker.markTime=341900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=804800, ConflictIdSorter.topsortTime=613100, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3014800, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=63887200, DefaultDependencyCollector.transformTime=8607800}
[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
[DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
[DEBUG] Using transporter WagonTransporter with priority -1.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2
Downloading from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar
Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar (169 kB at 218 kB/s)

... snip (downloads as normal) ...

[DEBUG] Created new class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG] Importing foreign packages into class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG]   Imported:  < maven.api
[DEBUG] Populating class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG]   Included: org.apache.maven.archetype:archetype-packaging:jar:3.1.2
[DEBUG]   Included: org.codehaus.plexus:plexus-utils:jar:1.1
[DEBUG] Extension realms for project test:test:maven-archetype:0.0.1-SNAPSHOT: [ClassRealm[extension>org.apache.maven.archetype:archetype-packaging:3.1.2, parent: sun.misc.Launcher$AppClassLoader@4e25154f]]
[DEBUG] Created new class realm project>test:test:0.0.1-SNAPSHOT
[DEBUG] Populating class realm project>test:test:0.0.1-SNAPSHOT
[DEBUG]   Included: org.apache.maven.archetype:archetype-packaging:jar:3.1.2

And the corporate version fails because it cannot download plexus-utils:1.1. This is all before it actually starts to process the clean goal.

So, for some reason, it has resolved the dependencies for archetype-packaging and decided that it requires plexus-utils:1.1. What does the :runtime mean in the list of dependencies? -- edited to say, I can see that :runtime must be the scope of the dependency, but it isn't declared anywhere.

But if I look at archetype-packaging, there is nothing in the pom or jar that suggests to me that it should use plexus-utils:1.1.

archetype-packaging-3.1.2.pom


  4.0.0

  
    org.apache.maven.archetype
    maven-archetype
    3.1.2
  

  archetype-packaging

  Maven Archetype Packaging
  'maven-archetype' packaging configuration for archetypes.

maven-archetype-3.1.2.pom

  

... snip ...

      
        org.codehaus.plexus
        plexus-utils
        3.2.0
      
...

Really the only thing in the archetype-packaging jar file is plexus\components.xml. I suppose it could be something in here, but there is no indication from the dependency collection that it is using any of these and there is no clean goal specified.



  
    
      org.apache.maven.lifecycle.mapping.LifecycleMapping
      maven-archetype
      org.apache.maven.lifecycle.mapping.DefaultLifecycleMapping
      
        
        
          org.apache.maven.plugins:maven-resources-plugin:resources
          org.apache.maven.plugins:maven-resources-plugin:testResources
          org.apache.maven.plugins:maven-archetype-plugin:jar
          org.apache.maven.plugins:maven-archetype-plugin:integration-test
          org.apache.maven.plugins:maven-install-plugin:install,
            org.apache.maven.plugins:maven-archetype-plugin:update-local-catalog
          
          
          org.apache.maven.plugins:maven-deploy-plugin:deploy
        
        
      
    

    
      org.apache.maven.artifact.handler.ArtifactHandler
      maven-archetype
      org.apache.maven.artifact.handler.DefaultArtifactHandler
      
        maven-archetype
        jar
        maven-archetype

Mark Nolan · Accepted Answer

It turns out this is (somewhat obscure) functionality of Maven 3 to be compatible with Maven 2. Any plugin (or extension) that does not declare an explicit dependency on plexus-utils will have an implicit dependency on plexus-utils:1.1 added.

You can see what I think of this decision here: archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1

project of type maven-archetype tries to download plexus-tools:1.1

Answers (1)

Related Questions