Nils Breunese created MNG-7219: ---------------------------------- Summary: plexus-cipher missing from transitive dependencies of maven-core 3.8.2 Key: MNG-7219 URL: https://issues.apache.org/jira/browse/MNG-7219 Project: Maven Issue Type: Bug Affects Versions: 3.8.2 Reporter: Nils Breunese
I have a project that uses {{org.apache.maven.plugin-testing:maven-plugin-testing-harness:3.3.0}} for testing a Maven plugin. After upgrading the project’s Maven dependencies from Maven 3.8.1 to 3.8.2 I got this error message when running tests: {code} Error injecting: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher java.lang.NoClassDefFoundError: org/sonatype/plexus/components/cipher/PlexusCipher ... 117 more {code} {{PlexusCipher}} is a class in the {{plexus-cipher}} artifact, which is a transitive dependency of {{maven-core}} 3.8.1: {code} [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT [INFO] \- org.apache.maven:maven-core:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-model:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-settings:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.1:compile [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] | \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.1:compile (…snip…) {code} But {{plexus-cipher}} is not a transitive dependency of {{maven-core}} 3.8.2: {code} [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT [INFO] \- org.apache.maven:maven-core:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-model:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.2:compile [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile (…snip…) {code} Both {{maven-core}} 3.8.1 and 3.8.2 have a transitive dependency on {{org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4}}. When using {{maven-core}} 3.8.1 {{plexus-sec-dispatcher}} has a dependency on plexus-cipher, but when using {{maven-core}} 3.8.2 it doesn’t. The [{{pom.xml}} of {{plexus-sec-dispatcher:1.4}}|https://search.maven.org/artifact/org.sonatype.plexus/plexus-sec-dispatcher/1.4/jar] indeed declares a dependency on {{plexus-cipher}} 1.4, but it’s not there when depending on {{maven-core}} 3.8.2. This regression was [confirmed by Michael Osipov on the Maven Users mailing list|https://lists.apache.org/thread.html/r7f5a62fd35dc6698c8f7097734f7c4acf4bb657d6c721e8a7bc76b8c%40%3Cusers.maven.apache.org%3E]. He mentioned that it was caused by commit 41efc134a9067b58a5ab01e9b8b05d2bd84a94f0, which was done for MNG-6886 ("upgrade plexus-cipher to 1.8 and update changed groupId"). A global exclusion was performed, but not all affected modules were properly updated (so the change wasn't complete): {code} [DEBUG] org.apache.maven:maven-settings-builder:jar:3.8.2 [DEBUG] org.apache.maven:maven-builder-support:jar:3.8.2:compile [DEBUG] javax.inject:javax.inject:jar:1:compile [DEBUG] org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [DEBUG] org.codehaus.plexus:plexus-utils:jar:3.2.1:compile [DEBUG] org.apache.maven:maven-settings:jar:3.8.2:compile [DEBUG] org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile (exclusions managed from [org.sonatype.plexus:plexus-cipher:*:*]) [DEBUG] junit:junit:jar:4.12:test [DEBUG] org.hamcrest:hamcrest-core:jar:1.3:test (scope managed from compile) (version managed from 1.3) [INFO] org.apache.maven:maven-settings-builder:jar:3.8.2 [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile [INFO] +- javax.inject:javax.inject:jar:1:compile [INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile [INFO] +- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] \- junit:junit:jar:4.12:test [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)