You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Guillaume Nodet (Jira)" <ji...@apache.org> on 2022/10/20 08:11:02 UTC
[jira] [Updated] (MNG-7219) [Regression] plexus-cipher missing from transitive dependencies

     [ https://issues.apache.org/jira/browse/MNG-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guillaume Nodet updated MNG-7219:
---------------------------------
    Fix Version/s: 4.0.0-alpha-2

> [Regression] plexus-cipher missing from transitive dependencies
> ---------------------------------------------------------------
>
>                 Key: MNG-7219
>                 URL: https://issues.apache.org/jira/browse/MNG-7219
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.2
>            Reporter: Nils Breunese
>            Assignee: Michael Osipov
>            Priority: Major
>             Fix For: 3.8.3, 4.0.0-alpha-1, 4.0.0-alpha-2, 4.0.0
>
>
> I have a project that uses {{org.apache.maven.plugin-testing:maven-plugin-testing-harness:3.3.0}} for testing a Maven plugin.
> After upgrading the project’s Maven dependencies from Maven 3.8.1 to 3.8.2 I got this error message when running tests:
> {code}
> Error injecting: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> java.lang.NoClassDefFoundError: org/sonatype/plexus/components/cipher/PlexusCipher	... 117 more
> {code}
> {{PlexusCipher}} is a class in the {{plexus-cipher}} artifact, which is a transitive dependency of {{maven-core}} 3.8.1:
> {code}
> [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT
> [INFO] \- org.apache.maven:maven-core:jar:3.8.1:compile
> [INFO]    +- org.apache.maven:maven-model:jar:3.8.1:compile
> [INFO]    +- org.apache.maven:maven-settings:jar:3.8.1:compile
> [INFO]    +- org.apache.maven:maven-settings-builder:jar:3.8.1:compile
> [INFO]    |  +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO]    |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO]    |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
> [INFO]    +- org.apache.maven:maven-builder-support:jar:3.8.1:compile
> (…snip…)
> {code}
> But {{plexus-cipher}} is not a transitive dependency of {{maven-core}} 3.8.2:
> {code}
> [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT
> [INFO] \- org.apache.maven:maven-core:jar:3.8.2:compile
> [INFO]    +- org.apache.maven:maven-model:jar:3.8.2:compile
> [INFO]    +- org.apache.maven:maven-settings:jar:3.8.2:compile
> [INFO]    +- org.apache.maven:maven-settings-builder:jar:3.8.2:compile
> [INFO]    |  +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO]    |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO]    +- org.apache.maven:maven-builder-support:jar:3.8.2:compile
> (…snip…)
> {code}
> Both {{maven-core}} 3.8.1 and 3.8.2 have a transitive dependency on {{org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4}}. When using {{maven-core}} 3.8.1 {{plexus-sec-dispatcher}} has a dependency on plexus-cipher, but when using {{maven-core}} 3.8.2 it doesn’t.
> The [{{pom.xml}} of {{plexus-sec-dispatcher:1.4}}|https://search.maven.org/artifact/org.sonatype.plexus/plexus-sec-dispatcher/1.4/jar] indeed declares a dependency on {{plexus-cipher}} 1.4, but it’s not there when depending on {{maven-core}} 3.8.2.
> This regression was [confirmed by Michael Osipov on the Maven Users mailing list|https://lists.apache.org/thread.html/r7f5a62fd35dc6698c8f7097734f7c4acf4bb657d6c721e8a7bc76b8c%40%3Cusers.maven.apache.org%3E]. He mentioned that it was caused by commit 41efc134a9067b58a5ab01e9b8b05d2bd84a94f0, which was done for MNG-6886 ("upgrade plexus-cipher to 1.8 and update changed groupId"). A global exclusion was performed, but not all affected modules were properly updated (so the change wasn't complete):
> {code}
> [DEBUG] org.apache.maven:maven-settings-builder:jar:3.8.2
> [DEBUG]    org.apache.maven:maven-builder-support:jar:3.8.2:compile
> [DEBUG]    javax.inject:javax.inject:jar:1:compile
> [DEBUG]    org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [DEBUG]    org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
> [DEBUG]    org.apache.maven:maven-settings:jar:3.8.2:compile
> [DEBUG]    org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile (exclusions managed from [org.sonatype.plexus:plexus-cipher:*:*])
> [DEBUG]    junit:junit:jar:4.12:test
> [DEBUG]       org.hamcrest:hamcrest-core:jar:1.3:test (scope managed from compile) (version managed from 1.3)
> [INFO] org.apache.maven:maven-settings-builder:jar:3.8.2
> [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile
> [INFO] +- javax.inject:javax.inject:jar:1:compile
> [INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO] +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
> [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile
> [INFO] +- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO] \- junit:junit:jar:4.12:test
> [INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)