pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
Overview about the changes
This release is primarily aimed to resolve the two regressions
introduced in the 3.5.3 release, specifically MNG-6372 and MNG-6388.
There are some additional minor improvements, the most notable of which
is:
* The Maven Super POM changes the default execution of the
maven-source-plugin jar goal into jar-no-fork which should resolve
some issues complex projects had running releases.
The detailed issue list
Bugs
* MNG-6370 ConcurrencyDependencyGraph#getNumberOfBuilds() does not
remove finished projects from unfinished ones
* MNG-6372 On Windows Maven can output spurious ANSI escapes such as
[0m [0m
* MNG-6382 JANSI fails frequently with NumberFormatException when
building in parallel
* MNG-6386 ${project.baseUri} is not a valid URI (according to RFC
3986)
* MNG-6388 Error Fetching Artifacts: “[B cannot be cast to
java.lang.String”
* MNG-6403 Artifact#VERSION_FILE_PATTERN does not escape period
between date and time
* MNG-6410 Add groupId to --resume-from suggestion if artifactId is
not unique in reactor
Improvements
* MNG-5756 Java home output in mvn -v is misleading
* MNG-5940 Change the maven-source-plugin jar goal into jar-no-fork
in Maven Super POM
* MNG-6362 Add documentation information for GitHub
* MNG-6363 Remove secret thread configuration property from code
* MNG-6364 Enhanced Jenkinsfile to test Core with JDK 9
* MNG-6411 Improve readability of project list returned when
--resume-from option value is invalid
Tasks
* MNG-6377 switch from Git-WIP to Gitbox
Dependency upgrades
* MNG-6344 Upgrade Guice to 4.2.0
* MNG-6423 Upgrade to Wagon 3.1.0
https://maven.apache.org/docs/3.5.4/release-notes.html
https://maven.apache.org/docs/3.5.3/release-notes.html
Release Notes - Maven - Version 3.5.3
***Known issues***:
* [MNG-6372] - On Windows with -T option, Maven can output spurious ANSI escapes such as [0m [0m
Bug:
* [MNG-6188] - Console color not properly reset when interrupting build process
* [MNG-6255] - Maven script cannot parse jvm.config with CRLF
* [MNG-6282] - Console output has no colors in shell (both Git Bash and Cygwin) [regression in Jansi 1.16 / Maven 3.5.1]
* [MNG-6296] - New option -Dstyle.color is not working
* [MNG-6298] - 3.5.2: ClassNotFoundException: javax.annotation.security. RolesAllowed
* [MNG-6300] - Multi module release creates empty directories in war file instead of jars
* [MNG-6305] - Validation of CI friendly version incorrect
* [MNG-6320] - Apparently wrong encoding of non-ascii java class filename in error messages in the maven log
* [MNG-6323] - Deadlock in multithreaded dependency resolution
* [MNG-6330] - [regression] Parents relativePath not verified anymore
New Feature:
* [MNG-6302] - Provide some "progress" hints
Improvement:
* [MNG-5992] - Git passwords are exposed as the Super POM still uses
Maven Release Plugin 2.3.2
* [MNG-6306] - Replace use of Guava in maven-resolver-provider with a
lighter weight alternative
* [MNG-6308] - display packaging & groupId:artifactId when building a
module
* [MNG-6332] - Cleaned up mvn.cmd Script
* [MNG-6340] - [Performance]To make System.gc() call configurable in
target summary code
* [MNG-6342] - Emit a WARNING about LATEST/RELEASE in parent
* [MNG-6352] - Printout version information at the end of the build
Task:
* [MNG-6331] - Remove maven-bundle-pugin from build pluginManagement
Dependency upgrade:
* [MNG-6312] - Update Maven Wagon dependency
* [MNG-6335] - Update test framework Mockito from 1.10 to 2.12
* [MNG-6353] - Upgrade maven-shared-utils to 3.2.1
https://maven.apache.org/docs/3.5.2/release-notes.html
Release Notes - Maven - Version 3.5.2
Sub-tasks:
* [MNG-6186] - switch to improved HawtJNI
* [MNG-6280] - ArrayIndexOutOfBoundsException caused by pom.xml with process instructions
Bugs:
* [MNG-5935] - Optional true getting lost in managed dependencies when transitive
* [MNG-6127] - Fix plugin execution configuration interference
* [MNG-6148] - Can't package and assemble with JDK9/Jigsaw
* [MNG-6149] - MetadataResolutionResult#getGraph() never resolves request type 'test'
* [MNG-6205] - Non-ascii chars in name element are displayed as question marks in Win CLI output (regression)
* [MNG-6210] - can't load @SessionScoped/@MojoExecutionScoped components from .mvn/extensions.xml
* [MNG-6223] - mvn -f outputs invalid error when specifying POM directory
* [MNG-6233] - maven-resolver-provider mixes JRS 330 and Plexus annotations
* [MNG-6234] - Regression 6182a208: library.jansi.path does not point to proper directory
* [MNG-6240] - Duplicate components in plugin extension realm when plugin depends on maven-aether-resolver
* [MNG-6242] - No color for maven on Cygwin
Improvements:
* [MNG-5457] - Show repository id when downloading or uploading from/to a remote repository
* [MNG-6025] - Add a ProjectArtifactsCache similar to PluginArtifactsCache
* [MNG-6123] - detect self references in POM and fail fast
* [MNG-6174] - Clean Up Maven Model
* [MNG-6196] - Update slf4j and simplify its color integration
* [MNG-6203] - Minor cleanup in MavenCli.java
* [MNG-6206] - We should produce a WARNING by using RELEASE, LATEST as versions
* [MNG-6207] - Create WARNINGs in case of using system scope
* [MNG-6228] - Optionality not displayed in dependency tree when run in debug mode
New Features:
* [MNG-6084] - Support JSR 250 annotations
* [MNG-6220] - Add CLI options to control color output
Tasks:
* [MNG-6167] - Clean up dependency mess (reported by dependency:analyze)
* [MNG-6258] - Upgrade to Maven Resolver 1.1.0
3.5.0
Bugs
- Site should tell 'prerequisites.maven is deprecated'
- UnsupportedOperationException thrown when version range is not correct
in dependencyManagement definitions
- ClosedChannelException from DefaultUpdateCheckManager.read
- "mvn.cmd" does not indicate failure properly when using "&&"
- mvnDebug doesn't work with M2_HOME with spaces - missing quotes
- mvn shell script fails with syntax error on Solaris 10
- logging config is overridden by $M2_HOME/lib/ext/*.jar
- mvn shell script invokes /bin/sh but requires Bash functions
- Problem with CI friendly usage of '${..}'' which is already defined
via property in pom file.
- java.lang.String cannot be cast to
org.apache.maven.lifecycle.mapping.LifecyclePhase
- Maven possibly not aware of log4j2
- mvn.cmd fails when the current directory has spaces in between
- mvn.cmd does not return ERROR_CODE
- mvn.cmd fails if directory contains an ampersand (&)
- Unsafe System Properties copy in MavenRepositorySystemUtils, causing
NPEs
- Problem with CI friendly usage of '${..} reactor order is changed
- CI friendly properties break submodule builds
- properties.internal.SystemProperties.addSystemProperties() is not
really thread-safe
- PluginDescriptor doesn't read since value of parameter
- ${session.parallel} not correctly set
- DefaultWagonManagerTest#testGetMissingJarForced() passed incorrect
value
- mvn dependency:go-offline fails due to missing transitive dependency
jdom:jdom:jar:1.1
- Fix unclosed streams
- NPE in cases using Multithreaded -T X versions:set
-DnewVersion=1.0-SNAPSHOT
- REGRESSION: WARNING about usage of a non threadsafe marked plugin is
not showed anymore
- Precedence of command-line system property options has changed
- MavenSession.getAllProjects() should return all projects in the
reactor
- Javadoc errors prevent release with Java 8
- The --file command line option of the Windows and Unix launchers does
not work for directory names like "Spaces & Special Char"
- groupId has plain color when goal fails
- HttpClient produces a lot of noise at debug loglevel
- Dependency management debug message corrections.
- maven-resolver-provider's DefaultArtifactDescriptorReader has
mismatched constructor and initService methods
- mvn -f complains about illegal readlink option under macOS
- distribution zip file has unordered entries
- Use consistent quoting forms in mvn launcher script
- mvn script fails to locate .mvn directory when pom.xml location
specified with -f
Dependency upgrade
- Dependency updates
- Upgrade Aether to Maven Resolver
Improvements
- Unify error output/check logic from shell and batch scripts
- Don't use M2_HOME in mvn shell/command scripts anymore
- Silence unnecessary legacy local repository warning
- .mvn directory should be picked when using --file
- Remove the whole Ant build
- Fixing documentation
- String handling issues identified by PMD
- Fix links etc. in README.txt which is part of the delivery
- Default plugin version updates
- Use Java 7's SimpleDateFormat in CLIReportingUtils#formatTimestamp
- Improve output readability of our MavenTransferListener
implementations
- Confusing error message in case of missing/empty artifactId and
version in pluginManagement
- Replace %HOME% with %USERPROFILE% in mvn.cmd
- Drastically reduce JAVA_HOME discovery code
- Removing ArtifactHandler for ejb3 lifecycle
- Removing ArtifactHandler for par lifecycle
- ReactorModelCache not used effectively after maven version 3.0.5 which
cause a large memory footprint
- WARNING during build based on absolute path in assembly-descriptor.
- Document default scope compile in pom XSD and reference documentation
- Can't overwrite properties which have been defined in
.mvn/maven.config
- Log refactoring - Method Invocation Replaced By Variable
- Introduce ${maven.conf} in m2.conf
- Add Jansi native library search path to our start scripts to avoid
extraction to temp file on each run
- Remove non-existent m2 include in component.xml
- Several small stylistic and spelling improvements to code and
documentation
- 'MetadataResolutionResult#getGraph()'' contains duplicate if clause
- Javadoc improvements for 3.5.0
- Introduce CLASSWORLDS_JAR in shell startup scripts
- Deprecate and replace incorrectly spelled public API
- Remove unused prerequisites
- Replace doclettag explanation with annotations in AbstractMojo javadoc
- WARN if maven-site-plugin configuration contains reportPlugins element
New Features
- ANSI color logging for improved output visibility
- add support for module name != artifactId in every calculated URLs
(project, SCM, site): special project.directory property
- create a slf4j-simple provider extension that supports level color
rendering
- ModelResolver interface enhancement: addition of
resolveModel(Dependency) supporting version ranges
Tasks
- Remove outdated maven-embedder/src/main/resources/META-INF/MANIFEST.MF
- Remove maven.home default value setter from m2.conf
- Upgrade Maven Wagon from 2.10 to 2.12
- Clean up duplicate dependencies caused by incomplete Wagon HTTP
Provider exclusions
- Remove obsolete message_*.properties from maven-core
- update documentation's dependency graph with resolver +
resolver-provider + slf4j-provider
- Force Push master from 737de43e392fc15a0ce366db98d70aa18b3f6c03
- Add a Jenkinsfile so that builds.apache.org can use multibranch
pipeline
Wishes
- Support version ranges in parent elements
- after forked execution success, add an empty line
- warn if prerequisites.maven is used for non-plugin projects
3.3.9
Bug
- default-value on mojo parameter of type collection or array
effectively make parameter read-only
- Properties on command line with leading or trailing quotes are
stripped
- Possible NullPointerException in org.apache.maven.repository.
MetadataResolutionResult
- Variable maven.multiModuleProjectDirectory may be set incorrectly
- Moving from Maven 3.0.5 to 3.3.3 breaks plugins with some dependencies
on the class path
- mvn fails when the current directory is a root drive on Windows
- Project base dir not fully working in Cygwin
- Make MAVEN_OPTS env variable with mvnDebug correctly
- Empy maven.config cause Maven to exit with failure
- <relativePath> is used if the groupId and artifactId match
irrespective of the version
- mvn script fails to locate .mvn in current directory
- maven-aether-provider/maven-compat does not always generate snapshot
versions using Gregorian calendar year
- Nonportable shell constructs cause bin/mvn errors on Debian
- mvn script doesn't handle directories containing spaces
- Broken link of ' Building Maven' in README.md on Github
- Log file command line option description contains an extra word
- Multi-module build with ear fails to resolve war in 3.3.3
- org.apache.maven.repository.internal.RemoteSnapshotMetadataTest fails
to start at midnight
- Maven selects wrong JVM
Improvement
- Use Commons Lang's Validate to intercept invalid input
- Custom packaging types: configuring DefaultLifecycleMapping mojo
executions
- Close IO Streams in finally or try-with-resource statement
- make url inheritance algorithm more visible
- Update used modello version from 1.8.1 to 1.8.3
- Removing par lifecycle from default life cycle bindings
- Make used plugin version for maven-resources-plugin in
default-bindings.xml consistent
- Removed binding for maven-ejb3-plugin from default binding
- Maven build does not work with Maven 2.2.1
- Use canonical name for UTC timezone
- Upgrade maven-parent to version 27
- Upgrade Wagon version to 2.10
- Upgraded to plexus-component-* 1.6 that uses asm 5.x
- Upgrade plexus-utils to 3.0.22 to support combine.id as configuration
attribute for Map merging
- Switch to official Guice 4.0
- Upgrade to Eclipse/Sisu 0.3.2
- Update animal-sniffer-maven-plugin to 1.14. MANIMALSNIFFER-49 required
when building with JDK9
3.3.3
Bug
- ssh-wagon hangs
- same class realm registered both with plugin and extensions realm
caches
- Maven extensions can not be retrieved from authenticated repositories
- 'mvn deploy' sends HTTP User-Agent twice
Improvement
- Warn about Proxies with duplicate id, but different protocols
- Upgrade Maven to use Wagon 2.9
3.3.1
Bug
- mvn cannot execute /usr/libexec/java_home/bin/java on OS X.
- mvn script is not compatible with OSX (Darwin) - PATCH ATTACHED
- Wrong reactor summary output while using -T option
- inconsistent classloading for extensions=true plugins
- Add example of toolchains.xml to Maven distribution
- DefaultMavenExecutionRequest.copy() doesn't keep
useLegacyLocalRepository
- DefaultMavenExecutionRequest.copy() doesn't keep builderId
- execution request populate ignores plugin repositories
- LifecycleModuleBuilder effectively swallows runtime exceptions and
errors
- NoClassDefFoundError: org/slf4j/spi/LocationAwareLogger when
generating javadoc during site reporting
- cobertura-maven-plugin:instrument failing NoClassDefFoundError:
org/slf4j/LoggerFactory
Improvement
- Modify maven-toolchain to look in ${maven.home}/conf/toolchains.xml
and in ${user.home}/.m2/toolchains.xml
- Empty module entry should fail instead of just producing a WARNING
- avoid hardcoded system classloader references
- Toolchains should be read during initialization
- project-specific default jvm options and command line parameters
- specify execution-id for direct plugin goal invocation from command
line
- improved user-configurable core extensions mechanism
- upgrade to sisu 0.3.0 and sisu guice 3.2.5
New Feature
- Add module maven-builder-support
- Allow plugin implementors to choose how they want the configuration
created for a particular MojoExecution
- Access toolchains without maven-toolchain-plugin
- Provide an extension point to provide alternate CLI configuration
mechanism
- Provide extension point for alternate implementations to construct
build graph
Task
- update aether to 1.0.2
- Drop support for Win9x in mvn launch scripts
- switch from 3.2.x to 3.3.x
- upgrade Java minimum version prerequisite from Java 6 to Java 7
3.2.5
Bug
- [Regression] resolveAlways does not force dependency resolution in
Maven 3.0.4
- ComparableVersion's breaks contract for Comparable, in some edgecases
the comparisons are not transitive
- Maven dependency resolution locks up
- mvn -U crashes with IBM JDK
- java.lang.UnsupportedOperationException on DefaultProjectBuilder.build
- Parallel Builds can build in wrong order
- inconsistent custom scope bindings
- Remove dependency on Easymock
- Update to plexus-interpolation 1.21 to avoid potential thread safety
problems
- spell mistake, Log4JLoggerFactory should be Log4jLoggerFactory
- LinkageError
org.apache.maven.surefire.shade.org.apache.maven.shared.utils.io.IOUtil
- ToolchainManagerPrivate.getToolchainsForType() returns toolchains that
are not of expected type
- Maven downloads same artifact from all repositories defined in POM
- unexpected InvalidArtifactRTException from ProjectBuilder#build
Improvement
- Improve toolchains descriptor documentation
- Improve Toolchains API description
- Enrich toolchain xml with merge information
- Change 'provides' from Object to Properties in toolchains.xml
- Upgrade to last Wagon 2.8
New Feature
- Add Merger for Maven Toolchain
- Provide a tool to test Maven version parsing and comparison
Task
- Upgrade Aether 1.0 when available
- Upgrade JUnit (for tests only)
Wish
- rename JavaToolChain to JavaToolchain for consistency and don't
declare it as Plexus component
Issues found with existing distfiles:
distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip
distfiles/fortran-utils-1.1.tar.gz
distfiles/ivykis-0.39.tar.gz
distfiles/enum-1.11.tar.gz
distfiles/pvs-3.2-libraries.tgz
distfiles/pvs-3.2-linux.tgz
distfiles/pvs-3.2-solaris.tgz
distfiles/pvs-3.2-system.tgz
No changes made to these distinfo files.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
pkgsrc changes:
- Add missing $PKG_SYSCONFDIR/logging directory and config file
- Improve Makefile readability
Changes in 3.2.3:
- Switch access to Maven Central to HTTPS (MNG-5672)
Changes in 3.2.2:
- Support version ranges in parent elements (MNG-2199)
- Requiring multiple profile activation conditions to be true does
not work (MNG-4565)
- Support resolution of Import Scope POMs from Repo that contains
a ${parameter} (MNG-5639)
- Update maven-plugin-plugin:descriptor default binding from
generate-resources phase to process-classes (MNG-5346)
- ${maven.build.timestamp} should use UTC instead of local timezone
(or be configurable) (MNG-5452)
- ${maven.build.timestamp} uses incorrect ISO datetime separator
(MNG-5647)
Release notes for 3.2.1
Bug
[MNG-5075] - MavenProject.getParent throws undocumented ISE
[MNG-5389] - AbstractMavenLifecycleParticipant need a afterSessionEnd
[MNG-5467] - intermittent "ProtocolException: The server failed to respond
with a valid HTTP response"
[MNG-5479] - ExecutionEvent.Type.SessionEnded omited when runtime
exception thrown
[MNG-5494] - Add a license file that corresponds to each GAV
in the distribution
[MNG-5528] - Help text confuses people
[MNG-5550] - MojoExecution source is never set to LIFECYCLE
[MNG-5553] - ${map(some.key)} is not properly interpolated
[MNG-5557] - Limit the reactor to the projects that are specified
using --projects
[MNG-5559] - upgrade to last wagon 2.6
[MNG-5572] - Warn for building plugins with extensions in a reactor
Improvement
[MNG-3526] - Small change to artifact version parsing.
[MNG-4099] - Password encryption CLI switches should prompt for password
if missing
[MNG-5176] - Print build times in an ISO 8601-style manner
[MNG-5530] - mojo execution guice scope
[MNG-5549] - Provide before/after callbacks for project and mojo execution
[MNG-5574] - Write error/warning messages from mvn shell and batch scripts
to stderr
[MNG-5575] - Separate build strategies into their own implementations
[MNG-5576] - Allow continuous delivery friendly versions
[MNG-5578] - Make the ReactorReader pluggable in the core
[MNG-5581] - Provide a way to customize lifecycle mapping logic
[MNG-5582] - Continue to track all the projects in the reactor even
if the set is constrained by --projects
New Feature
[MNG-2315] - Add option to exclude all transitive dependencies for
a particular one
[MNG-3832] - Allow wildcards in dependency exclusions
[MNG-5230] - Command line option to exclude modules from reactor
Release notes for 3.1.1
Bug
[MNG-5459] - failure to resolve pom artifact from snapshotVersion
in maven-metadata.xml
[MNG-5495] - API incompatibility causes Swagger Maven Plugin (and others)
to fail under Maven 3.1.0
[MNG-5499] - maven-aether-provider leaks Sisu Plexus and ObjectWeb classes
onto the classpath when they are not required
[MNG-5500] - help for --legacy-local-repository option explains
_maven.repositories instead of _remote.repositories
[MNG-5503] - Maven 3.1.0 fails to resolve artifacts produced by reactor build
[MNG-5509] - org.apache.maven.repository.legacy.DefaultWagonManager should
set User-Agent
Release notes for 3.1.0
Major Changes
- The use of JSR330 in the core for extensions and in Maven plugins.
You can read more about it in the Maven and JSR330 document.
- The use of SLF4J in the core for logging. You can read more about it
in the Maven and SLF4J document.
- The switch in the core from Sonatype Aether to Eclipse Aether.
Known Incompatibilities with Maven 3.0.x
- The significant change in Eclipse Aether with respect to API changes
and package relocation will likely cause issues with plugins that directly depend on Aether.
Bug
[MNG-3131] - Error message is misleading if a missing plugin parameter is
of a type like List
[MNG-5016] - A mirror's layout setting should default to 'default' since
thats' the only layout supported lay in maven 3
[MNG-5206] - plexus container never disposed
[MNG-5208] - Parallel (-T option) multi module build fires wrong
"project failed event"
[MNG-5209] - MavenProject.getTestClasspathElements can return null elements
[MNG-5212] - DefaultPluginDescriptorCache does not retain pluginDescriptor
dependencies
[MNG-5214] - Dependency resolution substitutes g🅰️v:jar for
j🅰️v:something-else when something-else isn't in the reactor
[MNG-5233] - ArtifactMetadataRetrievalException from
org.apache.maven.artifact.metadata is not anymore binary compatible.
[MNG-5258] - localRepository in settings.xml does not handle ~ as home.dir
[MNG-5261] - upgrade wagon version to 2.3 to fix issues with redirect
[MNG-5270] - README.bootstrap.txt says "Ant 1.6.5 or later" BUT 1.8 or
later is needed
[MNG-5280] - Inconsistent order of repositories and pluginRepositories
from profiles in settings (regression Maven 3)
[MNG-5289] - -Dmaven.repo.local not honored
[MNG-5312] - MavenProject.getParent intolerably slow when import scope
used heavily
[MNG-5313] - Unnecessary DefaultModelBuilder.build overload
[MNG-5314] - DefaultModelValidator misuses String.matches
[MNG-5336] - Descriptor Reference for settings.xml is incorrect
[MNG-5387] - Add ability to replace an artifact in mid-build
[MNG-5390] - mvn -rf (no argument) results in NPE
[MNG-5395] - logger name for plugins should not be DefaultMavenPluginManager
[MNG-5396] - logger name for execution events should not be MavenCli
[MNG-5398] - scriptSourceDirectory in superpom is not prefixed
with /usr/home/cmsslave/slave15/maven-site-staging/build/trunk/
[MNG-5403] - tar.gz release artifacts have wrong permissions on directories
[MNG-5418] - Can't activate a profile by checking for the presence of
a file in $myProperty
[MNG-5430] - use wagon 2.4
[MNG-5444] - ModelSource API is not sufficient to resolve project hierachies
[MNG-5445] - Missing PathTranslator @Requirement in
org.apache.maven.project.interpolation.StringSearchModelInterpolator
[MNG-5456] - Maven skips modules and reports success if parallel build
encounters java.lang.Error
[MNG-5477] - "malformed POM" warning issued when no version
in reporting section
Improvement
[MNG-4505] - use slf4j to control various logging frameworks
[MNG-5181] - New resolution from local repository is very confusing
[MNG-5239] - Maven integration developers would like to be able to override
the maven logging appender.
[MNG-5245] - upgrade default plugins versions
[MNG-5338] - Accept a directory with -f/--file
[MNG-5350] - improve @threadSafe error message: tell which goal
[MNG-5399] - Upgrade version of maven-release-plugin in superpom to 2.3.2
[MNG-5400] - Upgrade version of maven-dependency-plugin in superpom to 2.5
[MNG-5402] - Better build number for git
[MNG-5480] - document in POM descriptor reference how urls are interpolated
from parent
[MNG-5482] - Catch NoClassDefFoundError org/sonatype/aether
New Feature
[MNG-519] - Timestamps on messages
[MNG-5306] - for IDE embedding have ways of collecting model problems
without failing the process
[MNG-5343] - Allow the use of JSR330 annotation in Maven extensions
and plugins
[MNG-5344] - Allow the SLF4J loggers to be @Injected
[MNG-5354] - Integrate Eclipse Aether 0.9.0.M2
[MNG-5380] - Cannot preserve whitespace in Maven plugin configuration
[MNG-5381] - Restore MavenSession.getRepositoryCache()
[MNG-5382] - Add an IT for @Inject used in plugins
[MNG-5386] - Dispose of ClassRealms after invocation to prevent
out of Permgen errors
[MNG-5388] - Restore embedded integration tests
[MNG-5391] - Update the default WAR plugin version to avoid version 2.3
[MNG-5393] - Look at Sonar's use of SLF4J and Logback
[MNG-5397] - Use SLF4J for logging
[MNG-5407] - Change MavenITmng1830ShowVersionTest to account for SHA1
as version
Task
[MNG-5279] - add CLI options to documentation
[MNG-5365] - Replace Aether's deprecated ConfigurationProperties
with ConfigUtils
[MNG-5372] - remove classes that were added during Maven 3 alpha and beta
but were deprecated before 3.0 final release
[MNG-5373] - Document the usage and benefits of JSR330
[MNG-5374] - Fix transfer listener after the JSR330 merge
[MNG-5375] - Document use of SLF4J
[MNG-5376] - Account for changes between the Apple and Oracle JDKs on OSX
[MNG-5453] - Update Maven 3 build to use Eclipse/Sisu
Wish
[MNG-5370] - separate artifact-handlers configuration from plugin bindings
to default lifecycle
[MNG-5461] - rename _maven.repositories tracking file to _remote.repositories
http://maven.apache.org/docs/3.0.5/release-notes.html
Apache Maven 3.0.5 is a maintenance release to fix a security
issue CVE-2013-0253 Apache Maven 3.0.4
http://maven.apache.org/security.html
CVE-2013-0253 Apache Maven 3.0.4
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has
introduced a non-secure SSL mode by default. This mode
disables all SSL certificate checking, including: host
name verification , date validity, and certificate chain.
Not validating the certificate introduces the possibility
of a man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5
and Apache Maven Wagon 2.4.
Maven 2.2.1 aims to correct several critical regressions related to
the selection of the HttpClient-based Wagon implementation for
HTTP/HTTPS transfers in Maven 2.2.0. The new release reverts this
selection, reinstating the Sun-based - or lightweight - Wagon
implementation as the default for this sort of traffic. However, Maven
2.2.1 goes a step further to provide a means of selecting which
provider - or implementation - the user wishes to use for a particular
transfer protocol. More information on providers can be found in our
Guide to Wagon Providers.
In addition, Maven 2.2.1 addresses some long-standing problems related
to injecting custom lifecycle mappings and artifact handlers. These
custom components are now correctly loaded regardless of whether they
come from a plugin with the extensions flag enabled, or from a pure
build extension. In addition, custom artifact handlers now will be
used to configure the attributes of the main project artifact in
addition to any artifacts related to dependencies or project
attachments created during the build.
Maven 2.2.0 contains a few important changes that justify the version
upgrade, instead of simply naming it 2.1.1. First, the Java requirement
for Maven 2.2.0 has been upgraded to 1.5 or later. This upgrade was
planned for 2.1.0, but that release still contained binaries that were
compatible with JDK 1.4. In addition, due to some serious flaws in the
version-expression POM transformation included in 2.1.0, this feature
has been removed for the time being. Finally, some new default execution
IDs have been added to Maven to enable the separation of configuration
for plugins bound by the default lifecycle mappings, and for those
invoked directly from the command line.
Changes that may affect existing builds
* MNG-4143 - Starting in 2.2.0, Maven will run only on Java 1.5 and later.
You can still build projects for JDK1.4 and earlier using the approach
documented in the Guide to Building JDK 1.4 Projects on JDK 1.5.
* MNG-3401 - Executions with an id equal to default-phase (where phase is
a valid lifecycle phase) may have unexpected results as it will be merged
into the default lifecycle.
* MNG-4140/4179 - Version-expression resolution during installation and
deployment has been removed, returning to Maven 2.0.x behaviour.
Maven is a software project management and comprehension tool.
Based on the concept of a project object model (POM), Maven
can manage a project's build, reporting and documentation from
a central piece of information.