You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Guillaume Nodet (Jira)" <ji...@apache.org> on 2022/10/20 08:11:02 UTC
[jira] [Updated] (MNG-7219) [Regression] plexus-cipher missing from transitive dependencies
[ https://issues.apache.org/jira/browse/MNG-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet updated MNG-7219:
---------------------------------
Fix Version/s: 4.0.0-alpha-2
> [Regression] plexus-cipher missing from transitive dependencies
> ---------------------------------------------------------------
>
> Key: MNG-7219
> URL: https://issues.apache.org/jira/browse/MNG-7219
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.2
> Reporter: Nils Breunese
> Assignee: Michael Osipov
> Priority: Major
> Fix For: 3.8.3, 4.0.0-alpha-1, 4.0.0-alpha-2, 4.0.0
>
>
> I have a project that uses {{org.apache.maven.plugin-testing:maven-plugin-testing-harness:3.3.0}} for testing a Maven plugin.
> After upgrading the project’s Maven dependencies from Maven 3.8.1 to 3.8.2 I got this error message when running tests:
> {code}
> Error injecting: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> java.lang.NoClassDefFoundError: org/sonatype/plexus/components/cipher/PlexusCipher ... 117 more
> {code}
> {{PlexusCipher}} is a class in the {{plexus-cipher}} artifact, which is a transitive dependency of {{maven-core}} 3.8.1:
> {code}
> [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT
> [INFO] \- org.apache.maven:maven-core:jar:3.8.1:compile
> [INFO] +- org.apache.maven:maven-model:jar:3.8.1:compile
> [INFO] +- org.apache.maven:maven-settings:jar:3.8.1:compile
> [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.1:compile
> [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO] | \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
> [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.1:compile
> (…snip…)
> {code}
> But {{plexus-cipher}} is not a transitive dependency of {{maven-core}} 3.8.2:
> {code}
> [INFO] org.example:plexus-cipher-mystery:jar:1.0-SNAPSHOT
> [INFO] \- org.apache.maven:maven-core:jar:3.8.2:compile
> [INFO] +- org.apache.maven:maven-model:jar:3.8.2:compile
> [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile
> [INFO] +- org.apache.maven:maven-settings-builder:jar:3.8.2:compile
> [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO] | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile
> (…snip…)
> {code}
> Both {{maven-core}} 3.8.1 and 3.8.2 have a transitive dependency on {{org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4}}. When using {{maven-core}} 3.8.1 {{plexus-sec-dispatcher}} has a dependency on plexus-cipher, but when using {{maven-core}} 3.8.2 it doesn’t.
> The [{{pom.xml}} of {{plexus-sec-dispatcher:1.4}}|https://search.maven.org/artifact/org.sonatype.plexus/plexus-sec-dispatcher/1.4/jar] indeed declares a dependency on {{plexus-cipher}} 1.4, but it’s not there when depending on {{maven-core}} 3.8.2.
> This regression was [confirmed by Michael Osipov on the Maven Users mailing list|https://lists.apache.org/thread.html/r7f5a62fd35dc6698c8f7097734f7c4acf4bb657d6c721e8a7bc76b8c%40%3Cusers.maven.apache.org%3E]. He mentioned that it was caused by commit 41efc134a9067b58a5ab01e9b8b05d2bd84a94f0, which was done for MNG-6886 ("upgrade plexus-cipher to 1.8 and update changed groupId"). A global exclusion was performed, but not all affected modules were properly updated (so the change wasn't complete):
> {code}
> [DEBUG] org.apache.maven:maven-settings-builder:jar:3.8.2
> [DEBUG] org.apache.maven:maven-builder-support:jar:3.8.2:compile
> [DEBUG] javax.inject:javax.inject:jar:1:compile
> [DEBUG] org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [DEBUG] org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
> [DEBUG] org.apache.maven:maven-settings:jar:3.8.2:compile
> [DEBUG] org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile (exclusions managed from [org.sonatype.plexus:plexus-cipher:*:*])
> [DEBUG] junit:junit:jar:4.12:test
> [DEBUG] org.hamcrest:hamcrest-core:jar:1.3:test (scope managed from compile) (version managed from 1.3)
> [INFO] org.apache.maven:maven-settings-builder:jar:3.8.2
> [INFO] +- org.apache.maven:maven-builder-support:jar:3.8.2:compile
> [INFO] +- javax.inject:javax.inject:jar:1:compile
> [INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
> [INFO] +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
> [INFO] +- org.apache.maven:maven-settings:jar:3.8.2:compile
> [INFO] +- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
> [INFO] \- junit:junit:jar:4.12:test
> [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)