https://maven.apache.org/docs/3.5.3/release-notes.html
Release Notes - Maven - Version 3.5.3
***Known issues***:
* [MNG-6372] - On Windows with -T option, Maven can output spurious ANSI escapes such as [0m [0m
Bug:
* [MNG-6188] - Console color not properly reset when interrupting build process
* [MNG-6255] - Maven script cannot parse jvm.config with CRLF
* [MNG-6282] - Console output has no colors in shell (both Git Bash and Cygwin) [regression in Jansi 1.16 / Maven 3.5.1]
* [MNG-6296] - New option -Dstyle.color is not working
* [MNG-6298] - 3.5.2: ClassNotFoundException: javax.annotation.security. RolesAllowed
* [MNG-6300] - Multi module release creates empty directories in war file instead of jars
* [MNG-6305] - Validation of CI friendly version incorrect
* [MNG-6320] - Apparently wrong encoding of non-ascii java class filename in error messages in the maven log
* [MNG-6323] - Deadlock in multithreaded dependency resolution
* [MNG-6330] - [regression] Parents relativePath not verified anymore
New Feature:
* [MNG-6302] - Provide some "progress" hints
Improvement:
* [MNG-5992] - Git passwords are exposed as the Super POM still uses
Maven Release Plugin 2.3.2
* [MNG-6306] - Replace use of Guava in maven-resolver-provider with a
lighter weight alternative
* [MNG-6308] - display packaging & groupId:artifactId when building a
module
* [MNG-6332] - Cleaned up mvn.cmd Script
* [MNG-6340] - [Performance]To make System.gc() call configurable in
target summary code
* [MNG-6342] - Emit a WARNING about LATEST/RELEASE in parent
* [MNG-6352] - Printout version information at the end of the build
Task:
* [MNG-6331] - Remove maven-bundle-pugin from build pluginManagement
Dependency upgrade:
* [MNG-6312] - Update Maven Wagon dependency
* [MNG-6335] - Update test framework Mockito from 1.10 to 2.12
* [MNG-6353] - Upgrade maven-shared-utils to 3.2.1
https://maven.apache.org/docs/3.5.2/release-notes.html
Release Notes - Maven - Version 3.5.2
Sub-tasks:
* [MNG-6186] - switch to improved HawtJNI
* [MNG-6280] - ArrayIndexOutOfBoundsException caused by pom.xml with process instructions
Bugs:
* [MNG-5935] - Optional true getting lost in managed dependencies when transitive
* [MNG-6127] - Fix plugin execution configuration interference
* [MNG-6148] - Can't package and assemble with JDK9/Jigsaw
* [MNG-6149] - MetadataResolutionResult#getGraph() never resolves request type 'test'
* [MNG-6205] - Non-ascii chars in name element are displayed as question marks in Win CLI output (regression)
* [MNG-6210] - can't load @SessionScoped/@MojoExecutionScoped components from .mvn/extensions.xml
* [MNG-6223] - mvn -f outputs invalid error when specifying POM directory
* [MNG-6233] - maven-resolver-provider mixes JRS 330 and Plexus annotations
* [MNG-6234] - Regression 6182a208: library.jansi.path does not point to proper directory
* [MNG-6240] - Duplicate components in plugin extension realm when plugin depends on maven-aether-resolver
* [MNG-6242] - No color for maven on Cygwin
Improvements:
* [MNG-5457] - Show repository id when downloading or uploading from/to a remote repository
* [MNG-6025] - Add a ProjectArtifactsCache similar to PluginArtifactsCache
* [MNG-6123] - detect self references in POM and fail fast
* [MNG-6174] - Clean Up Maven Model
* [MNG-6196] - Update slf4j and simplify its color integration
* [MNG-6203] - Minor cleanup in MavenCli.java
* [MNG-6206] - We should produce a WARNING by using RELEASE, LATEST as versions
* [MNG-6207] - Create WARNINGs in case of using system scope
* [MNG-6228] - Optionality not displayed in dependency tree when run in debug mode
New Features:
* [MNG-6084] - Support JSR 250 annotations
* [MNG-6220] - Add CLI options to control color output
Tasks:
* [MNG-6167] - Clean up dependency mess (reported by dependency:analyze)
* [MNG-6258] - Upgrade to Maven Resolver 1.1.0
3.5.0
Bugs
- Site should tell 'prerequisites.maven is deprecated'
- UnsupportedOperationException thrown when version range is not correct
in dependencyManagement definitions
- ClosedChannelException from DefaultUpdateCheckManager.read
- "mvn.cmd" does not indicate failure properly when using "&&"
- mvnDebug doesn't work with M2_HOME with spaces - missing quotes
- mvn shell script fails with syntax error on Solaris 10
- logging config is overridden by $M2_HOME/lib/ext/*.jar
- mvn shell script invokes /bin/sh but requires Bash functions
- Problem with CI friendly usage of '${..}'' which is already defined
via property in pom file.
- java.lang.String cannot be cast to
org.apache.maven.lifecycle.mapping.LifecyclePhase
- Maven possibly not aware of log4j2
- mvn.cmd fails when the current directory has spaces in between
- mvn.cmd does not return ERROR_CODE
- mvn.cmd fails if directory contains an ampersand (&)
- Unsafe System Properties copy in MavenRepositorySystemUtils, causing
NPEs
- Problem with CI friendly usage of '${..} reactor order is changed
- CI friendly properties break submodule builds
- properties.internal.SystemProperties.addSystemProperties() is not
really thread-safe
- PluginDescriptor doesn't read since value of parameter
- ${session.parallel} not correctly set
- DefaultWagonManagerTest#testGetMissingJarForced() passed incorrect
value
- mvn dependency:go-offline fails due to missing transitive dependency
jdom:jdom:jar:1.1
- Fix unclosed streams
- NPE in cases using Multithreaded -T X versions:set
-DnewVersion=1.0-SNAPSHOT
- REGRESSION: WARNING about usage of a non threadsafe marked plugin is
not showed anymore
- Precedence of command-line system property options has changed
- MavenSession.getAllProjects() should return all projects in the
reactor
- Javadoc errors prevent release with Java 8
- The --file command line option of the Windows and Unix launchers does
not work for directory names like "Spaces & Special Char"
- groupId has plain color when goal fails
- HttpClient produces a lot of noise at debug loglevel
- Dependency management debug message corrections.
- maven-resolver-provider's DefaultArtifactDescriptorReader has
mismatched constructor and initService methods
- mvn -f complains about illegal readlink option under macOS
- distribution zip file has unordered entries
- Use consistent quoting forms in mvn launcher script
- mvn script fails to locate .mvn directory when pom.xml location
specified with -f
Dependency upgrade
- Dependency updates
- Upgrade Aether to Maven Resolver
Improvements
- Unify error output/check logic from shell and batch scripts
- Don't use M2_HOME in mvn shell/command scripts anymore
- Silence unnecessary legacy local repository warning
- .mvn directory should be picked when using --file
- Remove the whole Ant build
- Fixing documentation
- String handling issues identified by PMD
- Fix links etc. in README.txt which is part of the delivery
- Default plugin version updates
- Use Java 7's SimpleDateFormat in CLIReportingUtils#formatTimestamp
- Improve output readability of our MavenTransferListener
implementations
- Confusing error message in case of missing/empty artifactId and
version in pluginManagement
- Replace %HOME% with %USERPROFILE% in mvn.cmd
- Drastically reduce JAVA_HOME discovery code
- Removing ArtifactHandler for ejb3 lifecycle
- Removing ArtifactHandler for par lifecycle
- ReactorModelCache not used effectively after maven version 3.0.5 which
cause a large memory footprint
- WARNING during build based on absolute path in assembly-descriptor.
- Document default scope compile in pom XSD and reference documentation
- Can't overwrite properties which have been defined in
.mvn/maven.config
- Log refactoring - Method Invocation Replaced By Variable
- Introduce ${maven.conf} in m2.conf
- Add Jansi native library search path to our start scripts to avoid
extraction to temp file on each run
- Remove non-existent m2 include in component.xml
- Several small stylistic and spelling improvements to code and
documentation
- 'MetadataResolutionResult#getGraph()'' contains duplicate if clause
- Javadoc improvements for 3.5.0
- Introduce CLASSWORLDS_JAR in shell startup scripts
- Deprecate and replace incorrectly spelled public API
- Remove unused prerequisites
- Replace doclettag explanation with annotations in AbstractMojo javadoc
- WARN if maven-site-plugin configuration contains reportPlugins element
New Features
- ANSI color logging for improved output visibility
- add support for module name != artifactId in every calculated URLs
(project, SCM, site): special project.directory property
- create a slf4j-simple provider extension that supports level color
rendering
- ModelResolver interface enhancement: addition of
resolveModel(Dependency) supporting version ranges
Tasks
- Remove outdated maven-embedder/src/main/resources/META-INF/MANIFEST.MF
- Remove maven.home default value setter from m2.conf
- Upgrade Maven Wagon from 2.10 to 2.12
- Clean up duplicate dependencies caused by incomplete Wagon HTTP
Provider exclusions
- Remove obsolete message_*.properties from maven-core
- update documentation's dependency graph with resolver +
resolver-provider + slf4j-provider
- Force Push master from 737de43e392fc15a0ce366db98d70aa18b3f6c03
- Add a Jenkinsfile so that builds.apache.org can use multibranch
pipeline
Wishes
- Support version ranges in parent elements
- after forked execution success, add an empty line
- warn if prerequisites.maven is used for non-plugin projects
3.3.9
Bug
- default-value on mojo parameter of type collection or array
effectively make parameter read-only
- Properties on command line with leading or trailing quotes are
stripped
- Possible NullPointerException in org.apache.maven.repository.
MetadataResolutionResult
- Variable maven.multiModuleProjectDirectory may be set incorrectly
- Moving from Maven 3.0.5 to 3.3.3 breaks plugins with some dependencies
on the class path
- mvn fails when the current directory is a root drive on Windows
- Project base dir not fully working in Cygwin
- Make MAVEN_OPTS env variable with mvnDebug correctly
- Empy maven.config cause Maven to exit with failure
- <relativePath> is used if the groupId and artifactId match
irrespective of the version
- mvn script fails to locate .mvn in current directory
- maven-aether-provider/maven-compat does not always generate snapshot
versions using Gregorian calendar year
- Nonportable shell constructs cause bin/mvn errors on Debian
- mvn script doesn't handle directories containing spaces
- Broken link of ' Building Maven' in README.md on Github
- Log file command line option description contains an extra word
- Multi-module build with ear fails to resolve war in 3.3.3
- org.apache.maven.repository.internal.RemoteSnapshotMetadataTest fails
to start at midnight
- Maven selects wrong JVM
Improvement
- Use Commons Lang's Validate to intercept invalid input
- Custom packaging types: configuring DefaultLifecycleMapping mojo
executions
- Close IO Streams in finally or try-with-resource statement
- make url inheritance algorithm more visible
- Update used modello version from 1.8.1 to 1.8.3
- Removing par lifecycle from default life cycle bindings
- Make used plugin version for maven-resources-plugin in
default-bindings.xml consistent
- Removed binding for maven-ejb3-plugin from default binding
- Maven build does not work with Maven 2.2.1
- Use canonical name for UTC timezone
- Upgrade maven-parent to version 27
- Upgrade Wagon version to 2.10
- Upgraded to plexus-component-* 1.6 that uses asm 5.x
- Upgrade plexus-utils to 3.0.22 to support combine.id as configuration
attribute for Map merging
- Switch to official Guice 4.0
- Upgrade to Eclipse/Sisu 0.3.2
- Update animal-sniffer-maven-plugin to 1.14. MANIMALSNIFFER-49 required
when building with JDK9
3.3.3
Bug
- ssh-wagon hangs
- same class realm registered both with plugin and extensions realm
caches
- Maven extensions can not be retrieved from authenticated repositories
- 'mvn deploy' sends HTTP User-Agent twice
Improvement
- Warn about Proxies with duplicate id, but different protocols
- Upgrade Maven to use Wagon 2.9
3.3.1
Bug
- mvn cannot execute /usr/libexec/java_home/bin/java on OS X.
- mvn script is not compatible with OSX (Darwin) - PATCH ATTACHED
- Wrong reactor summary output while using -T option
- inconsistent classloading for extensions=true plugins
- Add example of toolchains.xml to Maven distribution
- DefaultMavenExecutionRequest.copy() doesn't keep
useLegacyLocalRepository
- DefaultMavenExecutionRequest.copy() doesn't keep builderId
- execution request populate ignores plugin repositories
- LifecycleModuleBuilder effectively swallows runtime exceptions and
errors
- NoClassDefFoundError: org/slf4j/spi/LocationAwareLogger when
generating javadoc during site reporting
- cobertura-maven-plugin:instrument failing NoClassDefFoundError:
org/slf4j/LoggerFactory
Improvement
- Modify maven-toolchain to look in ${maven.home}/conf/toolchains.xml
and in ${user.home}/.m2/toolchains.xml
- Empty module entry should fail instead of just producing a WARNING
- avoid hardcoded system classloader references
- Toolchains should be read during initialization
- project-specific default jvm options and command line parameters
- specify execution-id for direct plugin goal invocation from command
line
- improved user-configurable core extensions mechanism
- upgrade to sisu 0.3.0 and sisu guice 3.2.5
New Feature
- Add module maven-builder-support
- Allow plugin implementors to choose how they want the configuration
created for a particular MojoExecution
- Access toolchains without maven-toolchain-plugin
- Provide an extension point to provide alternate CLI configuration
mechanism
- Provide extension point for alternate implementations to construct
build graph
Task
- update aether to 1.0.2
- Drop support for Win9x in mvn launch scripts
- switch from 3.2.x to 3.3.x
- upgrade Java minimum version prerequisite from Java 6 to Java 7
3.2.5
Bug
- [Regression] resolveAlways does not force dependency resolution in
Maven 3.0.4
- ComparableVersion's breaks contract for Comparable, in some edgecases
the comparisons are not transitive
- Maven dependency resolution locks up
- mvn -U crashes with IBM JDK
- java.lang.UnsupportedOperationException on DefaultProjectBuilder.build
- Parallel Builds can build in wrong order
- inconsistent custom scope bindings
- Remove dependency on Easymock
- Update to plexus-interpolation 1.21 to avoid potential thread safety
problems
- spell mistake, Log4JLoggerFactory should be Log4jLoggerFactory
- LinkageError
org.apache.maven.surefire.shade.org.apache.maven.shared.utils.io.IOUtil
- ToolchainManagerPrivate.getToolchainsForType() returns toolchains that
are not of expected type
- Maven downloads same artifact from all repositories defined in POM
- unexpected InvalidArtifactRTException from ProjectBuilder#build
Improvement
- Improve toolchains descriptor documentation
- Improve Toolchains API description
- Enrich toolchain xml with merge information
- Change 'provides' from Object to Properties in toolchains.xml
- Upgrade to last Wagon 2.8
New Feature
- Add Merger for Maven Toolchain
- Provide a tool to test Maven version parsing and comparison
Task
- Upgrade Aether 1.0 when available
- Upgrade JUnit (for tests only)
Wish
- rename JavaToolChain to JavaToolchain for consistency and don't
declare it as Plexus component
pkgsrc changes:
- Add missing $PKG_SYSCONFDIR/logging directory and config file
- Improve Makefile readability
Changes in 3.2.3:
- Switch access to Maven Central to HTTPS (MNG-5672)
Changes in 3.2.2:
- Support version ranges in parent elements (MNG-2199)
- Requiring multiple profile activation conditions to be true does
not work (MNG-4565)
- Support resolution of Import Scope POMs from Repo that contains
a ${parameter} (MNG-5639)
- Update maven-plugin-plugin:descriptor default binding from
generate-resources phase to process-classes (MNG-5346)
- ${maven.build.timestamp} should use UTC instead of local timezone
(or be configurable) (MNG-5452)
- ${maven.build.timestamp} uses incorrect ISO datetime separator
(MNG-5647)
http://maven.apache.org/docs/3.0.5/release-notes.html
Apache Maven 3.0.5 is a maintenance release to fix a security
issue CVE-2013-0253 Apache Maven 3.0.4
http://maven.apache.org/security.html
CVE-2013-0253 Apache Maven 3.0.4
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has
introduced a non-secure SSL mode by default. This mode
disables all SSL certificate checking, including: host
name verification , date validity, and certificate chain.
Not validating the certificate introduces the possibility
of a man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5
and Apache Maven Wagon 2.4.
Maven is a software project management and comprehension tool.
Based on the concept of a project object model (POM), Maven
can manage a project's build, reporting and documentation from
a central piece of information.
