Hi, I have a project that uses org.apache.maven.plugin-testing:maven-plugin-testing-harness:3.3.0 for testing a Maven plugin.
After upgrading the project’s Maven dependencies to Maven 3.8.2 I got this error message when running tests: ---- Error injecting: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher java.lang.NoClassDefFoundError: org/sonatype/plexus/components/cipher/PlexusCipher ... 117 more ---- PlexusCipher is a class in the plexus-cipher artifact, which is a transitive dependency of maven-core 3.8.1: ---- [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT [INFO] \- org.apache.maven:maven-core:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-model:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-settings:jar:3.8.1:compile [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.1:compile [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] | \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.1:compile (…snip…) ---- But plexus-cipher is not a transitive dependency of maven-core 3.8.2: ---- [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT [INFO] \- org.apache.maven:maven-core:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-model:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.2:compile [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile (…snip…) ---- Both maven-core 3.8.1 and 3.8.2 have a transitive dependency on org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4. The weird this is that when using maven-core 3.8.1 plexus-sec-dispatcher has a dependency on plexus-cipher, but when using maven-core 3.8.2 it doesn’t. How can this be? The pom.xml of plexus-sec-dispatcher:1.4 (https://search.maven.org/artifact/org.sonatype.plexus/plexus-sec-dispatcher/1.4/jar) indeed declares a dependency on plexus-cipher 1.4, but it’s not there when depending on maven-core 3.8.2. How can this be? And is this intentional? Is there an exclusion somewhere? Nils Breunese.
