[ https://issues.apache.org/jira/browse/MNG-7045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17244013#comment-17244013 ]
Romain Manni-Bucau commented on MNG-7045: ----------------------------------------- Ok, here is a small reproducer: {code:java} <project> <modelVersion>4.0.0</modelVersion> <groupId>org.apache.maven.its.mng7045</groupId> <artifactId>test</artifactId> <version>1.0</version> <name>Maven Integration Test :: MNG-7045</name> <description> Do a maven exec-java which executes some cdi 2.0 code which would fail if maven leaks cdi-api 1.0. </description> <dependencies> <dependency> <groupId>org.apache.geronimo.specs</groupId> <artifactId>geronimo-jcdi_2.0_spec</artifactId> <version>1.3</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>3.8.1</version> <configuration> <source>8</source> <target>8</target> <encoding>UTF-8</encoding> </configuration> </plugin> <plugin> <groupId>org.codehaus.gmavenplus</groupId> <artifactId>gmavenplus-plugin</artifactId> <version>1.11.0</version> <executions> <execution> <id>run</id> <phase>process-classes</phase> <goals> <goal>execute</goal> </goals> </execution> </executions> <configuration> <scripts> <script><![CDATA[ println("InstanceSource=" + javax.enterprise.inject.Instance.class.getProtectionDomain().getCodeSource()) javax.enterprise.inject.Instance.class.getDeclaredMethod("stream") ]]></script> </scripts> </configuration> <dependencies> <dependency> <groupId>org.codehaus.groovy</groupId> <artifactId>groovy</artifactId> <version>3.0.7</version> <scope>runtime</scope> </dependency> </dependencies> </plugin> </plugins> </build> </project> {code} if you run "mvn process-classes" it fails on 3.6.3 and works on 4.0.0-alpha-1-SNAPSHOT. The point is that as soon as you add decorator/interceptor, reflection will occur similarly to this main - this is why i dont even start a full container and just do a reflection check to ensure it uses the api specified in dependency. It happens for plugin using ClassRealm as parent classloader of the runtime one (so exec one can be safe in several cases but not 100%) with the default parent first strategy. > Drop CDI API from Maven > ----------------------- > > Key: MNG-7045 > URL: https://issues.apache.org/jira/browse/MNG-7045 > Project: Maven > Issue Type: Bug > Components: core > Reporter: Romain Manni-Bucau > Priority: Major > > This is an old leak which triggered a lot of regressions and still triggers > bugs in mojos. > Since there is on real justification in maven itself (@Typed is not since > there are alternative and cdi is not used in any piece of maven), let's drop > it. > If a plugin needs it, it already has it since cdi-api is outdated anyway. -- This message was sent by Atlassian Jira (v8.3.4#803005)