Hi Jeremy thanks for PRs. On Wed, 27 Aug 2025 at 00:51, Jeremy Landis <jeremylan...@hotmail.com> wrote: > > I pushed up 3 PRs. > > > https://github.com/apache/maven-wrapper/pull/361 - simple normalization > (there were couple files with tabs in them and a few of them without proper > end of file markers - empty lines). Not super important but had it hanging > around.
cosmetics change ... by the way we can not remove a tabs from shell here-docs > > https://github.com/apache/maven-wrapper/pull/362 - This has the maven 4 > support. I've been using it at work at scale for a few months now and added > it to spotbugs maven plugin integration tests in last week or so. It will be fixed in next Maven 4 version, affected only on deprecated scripts > > https://github.com/apache/maven-wrapper/pull/363 - This one update logic in > MavenWrapperDownloader.jar to resolve path traversal issue raised by Synk. > In my usage I have it coded to java 11 but adjusted here to be java 8 > compliant. I don't know if unit tests in maven wrapper execute this at all > and I haven't directly confirmed it as it’s a fallback and probably hard to > occur in general. What I have done is mainly reviewed it, asked various AI > tools a few times and it seems good enough but should be tested further if > anyone has a good way to force a test on it. Also in deprecated methods, there is some of code to prevent simple path traversal. More comments will be in mentioned PRs. So I don't see a reason to break current vote. We can work on proposed changes and prepare next release. > > Outside of how I applied this with spotbugs maven plugin to show maven 4, I > have a separate unique process at work that uses maven to seed projects at > scale in ci pipelines via pull requests to keep up to date. To typically I > adjust the distribution files and don't run maven wrapper plugin to directly > apply the files as a result. That ends up in me running ahead for a longer > period so generally I had this stuff just sitting around waiting for a good > time. When I saw possible release coming, that was my trigger to move but I > was just a bit too slow 😉 Its likely I still have a few extra things I have > yet to pull over but these were all fresh on my mind. > > Thanks, > > Jeremy > > > > -----Original Message----- > From: Slawomir Jaranowski <s.jaranow...@gmail.com> > Sent: Tuesday, August 26, 2025 4:37 PM > To: Maven Developers List <dev@maven.apache.org> > Subject: Re: [VOTE] Release Apache Maven Wrapper version 3.3.3 > > No problem, I can delay or re-spawn as a new fix will be available. > > > > On Tue, 26 Aug 2025 at 22:14, Jeremy Landis <jeremylan...@hotmail.com> wrote: > > > > There are path transversal issues in MavenWrapperDownloader.java in > > existing releases which is easy to fix. Additionally, maven 4 more recent > > versions don't work without a patch. I can send some PRs for both these > > issues, would it be possible to delay the vote until these are corrected so > > we get more broad support? I can send PRs tonight as they are rather > > simple and I've been using them both in production level usage for a while > > now. > > > > Thanks, > > > > Jeremy Landis > > > > > > -----Original Message----- > > From: Slawomir Jaranowski <s.jaranow...@gmail.com> > > Sent: Tuesday, August 26, 2025 4:08 PM > > To: Maven Developers List <dev@maven.apache.org> > > Subject: [VOTE] Release Apache Maven Wrapper version 3.3.3 > > > > Hi, > > > > We solved 47 issues: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithu > > b.com%2Fapache%2Fmaven-wrapper%2Fissues%3Fq%3Dis%253Aclosed%2520milest > > one%253A3.3.3&data=05%7C02%7C%7C2efb460adb82450c2d1d08dde4e05644%7C84d > > f9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638918374367659212%7CUnknown%7 > > CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zM > > iIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=8kd2Psz8kGEOljr > > Og9Iom3%2FxKih7991yjySf%2Behqi3w%3D&reserved=0 > > > > Changes since the last release: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithu > > b.com%2Fapache%2Fmaven-wrapper%2Fcompare%2Fmaven-wrapper-3.3.2...maven > > -wrapper-3.3.3&data=05%7C02%7C%7C2efb460adb82450c2d1d08dde4e05644%7C84 > > df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638918374367689041%7CUnknown% > > 7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4z > > MiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=WcyBj%2BR7Sf7c > > pNNbTQDNOe3wytAfdNdfAX4372oX%2FUY%3D&reserved=0 > > > > Staging repo: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepos > > itory.apache.org%2Fcontent%2Frepositories%2Fmaven-2314%2F&data=05%7C02 > > %7C%7C2efb460adb82450c2d1d08dde4e05644%7C84df9e7fe9f640afb435aaaaaaaaa > > aaa%7C1%7C0%7C638918374367709130%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hc > > GkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjo > > yfQ%3D%3D%7C0%7C%7C%7C&sdata=NH6qOp8CZtOhX8uJfS9K0Zbfxaqa2JOxqVpCy9QAh > > js%3D&reserved=0 > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Frepos > > itory.apache.org%2Fcontent%2Frepositories%2Fmaven-2314%2Forg%2Fapache% > > 2Fmaven%2Fwrapper%2Fmaven-wrapper%2F3.3.3%2Fmaven-wrapper-3.3.3-source > > -release.zip&data=05%7C02%7C%7C2efb460adb82450c2d1d08dde4e05644%7C84df > > 9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638918374367728198%7CUnknown%7C > > TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMi > > IsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Ec217TOIu1cbyJUa > > WY5oVHki%2FX2lnZPUpPoYarOcHOc%3D&reserved=0 > > > > Source release checksum(s): > > maven-wrapper-3.3.3-source-release.zip - SHA-512 : > > 119dcfe7d94375ca5594ba0b4da4f5f6b114e9fb87aa36f22730f7c8ec3dc783c3bf68 > > b73cdbf8d41f7afb4822ee0b344a29b61964cdd893088e7cf4c33793ed > > > > Staging site: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven > > .apache.org%2Ftools-archives%2Fwrapper-LATEST%2F&data=05%7C02%7C%7C2ef > > b460adb82450c2d1d08dde4e05644%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7 > > C0%7C638918374367746783%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydW > > UsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D > > %7C0%7C%7C%7C&sdata=rg3rzRkjFQ08S%2Bo8MX2EcFW76aA21gEpJn%2BFbl%2Bvhqc% > > 3D&reserved=0 > > > > Guide to testing staged releases: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven > > .apache.org%2Fguides%2Fdevelopment%2Fguide-testing-releases.html&data= > > 05%7C02%7C%7C2efb460adb82450c2d1d08dde4e05644%7C84df9e7fe9f640afb435aa > > aaaaaaaaaa%7C1%7C0%7C638918374367765293%7CUnknown%7CTWFpbGZsb3d8eyJFbX > > B0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIs > > IldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=08KH3RsJGze5oIYBow8BHJI%2BRDrklzMO > > l%2F0Bm7oRPBk%3D&reserved=0 > > > > Vote open for at least 72 hours. > > > > [ ] +1 > > [ ] +0 > > [ ] -1 > > > > -- > > Sławomir Jaranowski > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For > > additional commands, e-mail: dev-h...@maven.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For > > additional commands, e-mail: dev-h...@maven.apache.org > > > > > -- > Sławomir Jaranowski > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional > commands, e-mail: dev-h...@maven.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org -- Sławomir Jaranowski --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
