Hi, and thanks for the answers! We (and many others I'm sure) are happy to see new releases as soon as possible, of course :-)
Anders: Thanks for the workaround, I implemented it in our corporate pom for maven-jar-plugin and maven-source-plugin, plus maven-javadoc-plugin. Then I wiped out .m2/repository and built the corporate parent and then one of our smaller projects (which had been changed to use the new parent version). I could see it downloaded version 4.1.0 of plexus-archiver, along with 3.3, 3.4, 3.5, 3.6.0, and 3.7.0 (it was simple mvn clean install, which also builds a source-jar and javadocs). However, when I do: dependency:resolve-plugins, I get: [INFO] org.apache.maven.plugins:maven-jar-plugin:maven-plugin:3.1.1:runtime [INFO] org.apache.maven.plugins:maven-jar-plugin:jar:3.1.1 [INFO] org.apache.maven:maven-plugin-api:jar:3.0 [INFO] org.apache.maven:maven-model:jar:3.0 [INFO] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2 [INFO] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2 [INFO] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7 [INFO] org.apache.maven:maven-core:jar:3.0 [INFO] org.apache.maven:maven-settings:jar:3.0 [INFO] org.apache.maven:maven-settings-builder:jar:3.0 [INFO] org.apache.maven:maven-repository-metadata:jar:3.0 [INFO] org.apache.maven:maven-model-builder:jar:3.0 [INFO] org.apache.maven:maven-aether-provider:jar:3.0 [INFO] org.sonatype.aether:aether-impl:jar:1.7 [INFO] org.sonatype.aether:aether-spi:jar:1.7 [INFO] org.sonatype.aether:aether-api:jar:1.7 [INFO] org.sonatype.aether:aether-util:jar:1.7 [INFO] org.codehaus.plexus:plexus-interpolation:jar:1.14 [INFO] org.codehaus.plexus:plexus-classworlds:jar:2.2.3 [INFO] org.codehaus.plexus:plexus-component-annotations:jar:1.7.1 [INFO] org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3 [INFO] org.sonatype.plexus:plexus-cipher:jar:1.4 [INFO] org.apache.maven:maven-artifact:jar:3.0 [INFO] org.apache.maven:maven-archiver:jar:3.3.0 [INFO] org.apache.maven.shared:maven-shared-utils:jar:3.2.1 [INFO] commons-io:commons-io:jar:2.5 [INFO] org.codehaus.plexus:plexus-archiver:jar:3.7.0 <------ [INFO] org.codehaus.plexus:plexus-io:jar:3.1.0 [INFO] org.apache.commons:commons-compress:jar:1.18 [INFO] org.iq80.snappy:snappy:jar:0.4 [INFO] org.tukaani:xz:jar:1.8 [INFO] org.codehaus.plexus:plexus-utils:jar:3.1.0 Here's it still listing 3.7.0 of plexus-archiver, did it not work or does dependency:resolve-plugins fail to pick up version overrides? Same behavior for maven-source-plugin and maven-javadoc-plugin, both list their original dependencies in dependency:resolve-plugins (Unrelated question: Is the order of dependencies random in the above list or is it classpath order? If it's random, it would be better if it was sorted, so it's easy for the human eye to scan for a particular dependency) - Eric L On Tue, May 7, 2019 at 9:16 PM Anders Hammar <and...@hammar.net> wrote: > Checking m-jar-p, what is needed is an upgrade of plexus-archiver to > version 4.0.0+ as it includes an upgraded dependency to plexus-io v3.1.1. > See [1]. > If you include m-jar-p in the pluginManagement section of your corporate > parent-POM, you could bump this on the existing maven-jar-plugin v3.1.1 > like this: > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-jar-plugin</artifactId> > <version>3.1.1</version> > <dependencies> > <dependency> > <groupId>org.codehaus.plexus</groupId> > <artifactId>plexus-archiver</artifactId> > <version>4.1.0</version> > </dependency> > </dependencies> > </plugin> > > [1] > > https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md#plexus-archiver-400 > > /Anders > > On Tue, May 7, 2019 at 8:07 PM Eric Lilja <mindcoo...@gmail.com> wrote: > > > Hi, in my organization we're seeing big increases in build time using > newer > > versions of maven-jar-plugin and maven-sources-plugin, because those > > plugins are affected by a bug in plexus-io. > > > > The issue in plexus-io has been fixed since some time: [1] and I > believe a > > release has been made of relevant plexus components containing the fix > (but > > I might be wrong about that). > > > > However, both MJAR-259 [2] and MSOURCES-119 [3] are still open. When can > we > > expect new releases of these two plugins (and other plugins/components > > affected by the same issue)? Is something block the release or no one > > simply got around to it yet? > > > > We're trying to stay current and modern in our little eco-system at work, > > but this issue is holding us back on older versions of aforementioned > > plugins. > > > > Thanks for your time! > > > > - Eric L > > > > [1] https://github.com/codehaus-plexus/plexus-io/pull/17 > > [2] https://issues.apache.org/jira/browse/MJAR-259 > > [3] https://issues.apache.org/jira/browse/MSOURCES-119 > > >
