I agree with the recommendations made by Anthony, and that best practice is to specify all versions explicitly.
However, I am also empathetic to the concerns raised by Tilman. When people compare Maven to other build tools and complain about the verbosity of POM files, a lot of that verbosity comes from having to specify versions for plugins, including plugins that are part of the default lifecycle. If we agree that Maven follows a convention over configuration design, perhaps the Super POM should be updated to some more sensible defaults. While it may not be as reproducible to leave them unspecified, it would reduce the surprise to beginners when now very outdated plugin versions are used by default. Greg On Mon, Feb 22, 2021 at 3:44 PM Anthony Whitford <anth...@whitford.com> wrote: > I recommend reading the “Important Note” found here: > https://maven.apache.org/guides/mini/guide-configuring-plugins.html#introduction > < > https://maven.apache.org/guides/mini/guide-configuring-plugins.html#introduction > > > > > Important Note: Always define each version of the plugins used by the > build to guarantee the build reproducibility. A good practice is to specify > them in the <build><pluginManagement/></build> elements for each build > plugins. (Generally, you will define a <pluginManagement/> element in a > parent POM.) For reporting plugins, specify each version in the > <reporting><plugins/></reporting> elements (and surely in the > <build><pluginManagement/></build> elements too). > > > In other words, do not rely on the implied Super Parent Pom for defining > plugin versions because it will not guarantee build reproducibility. > Instead, your pom hierarchy should explicitly declare the plugin versions > to use. (Maintaining a corporate pom that may be used across projects > might be a wise approach.) > > > > On Feb 22, 2021, at 11:11 AM, Tilman Hausherr <thaush...@t-online.de> > wrote: > > > > Hello, > > > > I'm using maven 3.6.3 and the maven-surefire-plugin version used in a > build is 2.12.4 when the version is not specified, the "effective" version > is 2.10. For junit 5 one needs 2.22.2, see > > > https://junit.org/junit5/docs/current/user-guide/#running-tests-build-maven > > this is a pitfall for JUnit 5 users: > > https://stackoverflow.com/a/66313961/535646 > > who don't read the manual. Should I create a JIRA issue that the super > pom should be updated? Or is another plugin to "blame" for the default > version? > > > > Tilman > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > > For additional commands, e-mail: users-h...@maven.apache.org > > > >
