You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Christoph Läubrich (Jira)" <ji...@apache.org> on 2023/05/24 11:42:00 UTC

[jira] [Commented] (MNG-7097) Plugin Dependency Resolution: don't download Maven-provided artifacts

    [ https://issues.apache.org/jira/browse/MNG-7097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17725764#comment-17725764 ] 

Christoph Läubrich commented on MNG-7097:
-----------------------------------------

> "fake" resolution of artifacts present in core: collect them, but Artifact should point to Maven lib? This is dangerous, as plugin would have access to Files comprising Maven

I think any maven process has enough power to harm the system and finding out the maven home for a plugin is not really anything require special power.

I would even expect that the maven install itself is read-only to the user as well... so this sounds like a very interesting idea indeed.

> Plugin Dependency Resolution: don't download Maven-provided artifacts
> ---------------------------------------------------------------------
>
>                 Key: MNG-7097
>                 URL: https://issues.apache.org/jira/browse/MNG-7097
>             Project: Maven
>          Issue Type: Task
>          Components: Performance, Plugins and Lifecycle
>            Reporter: Tamas Cservenak
>            Assignee: Tamas Cservenak
>            Priority: Major
>
> Current Maven behavior for resolving plugin dependencies is to download full transitive graph of plugin dependency, but for executing plugin it filters out core artifacts from graph (excludes them).
> This results in unnecessary downloads of core artifacts, multiplied by multiple versions used by different plugins, and local repository end up having artifacts that may even surprise users.
> Most notable examples: maven-core (user: "Why did Maven download maven-core-X when I use maven-Y?"), plexus-container-default (user: "Why does Maven download 10+ versions of this legacy artifact (adv user: when sisu-inject-plexus shim is used instead)?"), multiple versions of plexus-utils etc...
> We need to investigate what exactly happens with downloaded, but unused core artifacts (if they are completely excluded based on GAV, we are safest), and simply exclude them even from resolution/collection, as they are really not needed.
> This will not "improve build speed", but does lessen "bandwidth", as experiments shows that cutting plugin dependencies for core artifacts for Maven project itself makes about 1k less remote requests (artifact and artifact checksum downloads).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)