I recognized that Maven not always uses the latest version of a plugin.
For example org.codehaus.mojo:sonar-maven-plugin version 2.7 has beed released on 19th of October but on 23th of October, 2.6 was still used by Maven (mvn sonar:sonar).
I even remember some plugins, where the latest version was several minor releases above the version that Maven decided to use.
Is there any (central) index/list/database where Maven looks up what version to use? If yes, where can it be accessed manually?
I know this is an ancient thread but in the interest of posterity and accuracy: all pom.xmls logically inherit from the super POM. You can always see what your "real" pom.xml looks like by typing:
mvn help:effective-pom
The resulting pom.xml that is printed is a combination of the super POM, your pom.xml, and of course any parent POMs in the mix as well.
The super POM is provided by the org.apache.maven.model.superpom.DefaultSuperPomProvider class (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/java/org/apache/maven/model/superpom/DefaultSuperPomProvider.java#L56-L85). The resource it loads is org/apache/maven/model/pom-4.0.0.xml (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml#L23-L149).
As far as i know, this link will answer your question.
Automatic Plugin Version Resolution
When a plugin was invoked without an explicit version given in the POM
or on the command line, Maven 2.x used to pick the latest version
available where the latest version could either be a release or a
snapshot. For the sake of stability, Maven 3.x prefers the latest
release version over the latest snapshot version.
Given the threat of non-reproducible builds imposed by automatic
plugin version resolution, this feature is scheduled for removal as
far as plugin declarations in the POM are concerned. Users of Maven
3.x will find it output a warning when missing plugin versions are detected to encourage the addition of plugin versions to the POM or
one of its parent POMs. The Enforcer rule requirePluginVersions can be
used additionally check for missing plugin versions in the POM
For command line execution if a version is not specified Maven looks up the latest version from the GA (group ID/artifact ID) maven-metadata.xml file.
Example: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-clean-plugin/maven-metadata.xml
If you're encoding command line execution of Maven goals into your builds you should specify a version for these, otherwise your builds may change as new versions of plugins are released.
Related
I am looking at jar hell right now between selenium and a google cloud jar. selenium is a bit out of date but in trying to see the versions in the pom file found here, I see no versions...
https://repo1.maven.org/maven2/com/google/auth/google-auth-library-oauth2-http/0.17.1/
How to tell what the version of guava that it will use is?
I saw something like this but not sure how to run it
mvn -P help:effective-pom -Dverbose
I use gradle so not sure how to point that at the remote artifact. I can use gradle to see what version it's bringing in, but what I don't get is how there is no version in the pom file and where gradle is getting it from. I am praying it's not just bringing in the latest version as that would be really really bad and create an unreproducible build over time where if we tag a version of our release, later when we build, it would bring in the wrong jars and could break. Where is the version coming from for guava there?
thanks,
Dean
The POM defines a parent POM, which is
https://repo1.maven.org/maven2/com/google/auth/google-auth-library-parent/0.17.1/google-auth-library-parent-0.17.1.pom
Here you find the version of guava as a property, which is then used in the <dependencyManagement>.
I'm using the maven dependency:tree command to see all my modules and submodules.
We're using a dev=RELEASE version model so that we can see our dependencies fail fast. Then we lock in a version when we go to prod.
Our dependency tree goes about four levels deep of modules.
I want a quick way to identify if anything in my pom dependencies contains a RELEASE version.
I'd like to be able to use the dependency:tree command to do this - but unfortunately it resolves all the RELEASE versions to the last 'dot' version.
Note this is using Maven 2.
My question is: How do I get the maven dependency:tree command to show when I'm using a RELEASE version?
The trick is - as the comments have pointed out - is to upgrade to Maven 3 - and then use the Maven Versions Plugin :
This means you have to set the versions explicitly - but you still get the fail-fast behaviour.
See here for more detail:
https://stackoverflow.com/a/48184999/15441
Per a previous question on here, I was able to run:
mvn com.isomorphic:isc-maven-plugin:1.1.1:install -Dproduct=SMARTGWT -Dlicense=LGPL -DbuildNumber=5.0p -DbuildDate=2014-11-30
This did work. But I wonder ... do we need to do this again for the latest build? How do we even know where to find the latest build. I just want to use the latest, stable version, and not a nightly build.
Also, what is the correct dependency for SmartGWT 5.0p in my pom.xml file?
I have the old version which worked with 4.0, or do I need to use a new dependency? Is there anything else I might need to add to my pom.xml file?
Believe I hit Google for the last two days, and even on the SmartGWT Isomorphic site I still couldn't find a definitive answer.
Thanks for any help!
Due to Isomorphic licence scheme unfortunately if you need to update to a newer smartgwt build you cannot rely on maven "by design" features. You should run the install command again changing buildNumber or/and buildDate as desired.
Example
mvn com.isomorphic:isc-maven-plugin:1.1.1:install -Dproduct=SMARTGWT -Dlicense=LGPL -DbuildNumber=5.1p -DbuildDate=2016-01-07
The dependencies in your pom file should then use:
<version>5.1p-20160107</version>
where 5.1p corresponds to the buildNumber value and 20160107 to the buildDate.
Installed files are in ~/.m2/repository/com/isomorphic/smartgwt/lgpl you can check availability and versions there too.
By design, there is no answer: Maven dependency upgrades are manual.
When appropriate, you can look for new releases of your dependency (in this case SmartGWT), find out what the new version is called in the dependency's public Maven repository, update your project's POM, and update your local repository as necessary (mvn install like in the example, deleting old versions, etc.)
Well, the problem is that I want maven to check dependency version on build and warn me if there are any newer dependency versions (in fact - notify me if I use an outdated version of some module). My maven module A has the following dependency:
<dependency>
<groupId>com.example.mycompany</groupId>
<artifactId>commons</artifactId>
<version>1.0.3</version>
</dependency>
And com.example.mycompany:commons module in fact can already have 1.0.4 version. Is there any way to check version of the dependency in repo and fail the build if newer version is already available.
I hope that versions-maven-plugin can make it. But I can not find appropriate configuration.
If you are using source control and a continuous integration server (which is a safe assumption) you can:
use the versions plugin and let it modify the pom
then use the scm:check-local-modification or the release plugin as the release plugin IIRC checks for local modifications.
Here is an example checking for the latest parent pom:
mvn versions:update-parent scm:check-local-modification -DallowSnapshots=false -DgenerateBackupPoms=false
This problem can be solved with the maven-enforcer-plugin. You have to create your own custom rule, because non of the standard rules seem to match your needs.
The notion of the rule you are going to implement should be enforce dependencies are up to date. To implement the check you could get some inspiration by the versions-maven-plugin you mention.
Is it possible to create a release candidate from my current maven project without changing the version number in the pom.xml?
I just want to build a new maven artifact form my project with a specific version number.
For example: my current pom.xml has the version '0.0.1'. I have called mvn install to create the artifact in my local repository. Now I would like to create a second artifact with the version '0.0.1-RC1'
Is this possible from the mvn command line without changing the version number in my pom.xml?
I would advice against your suggestion of not changing the version number. One of the Maven's benefits is to keep your releases in sequence, i.e. after you have made your '0.0.1-RC1' candidate you will continue to work on the '0.0.1-RC2-SNAPSHOT' version (which may result in a '0.0.1-RELEASE').
That said, you don't have to change the version number manually. The Maven Release Plugin offers great help with this with commands such as mvn release:prepare and mvn release:perform. Also read the Maven build versions in the Maven reference manual. You may also find the discussion about Maven version scheme interesting.
As I see it you have two options:
Embrace the release plug-in. It's been designed to address this problem.
Use the versions plug-in and issue your own source code control commands.