Howdy, So, have a small local change, probably to go with 3.9.3.
changes: - message modified, it is now clear that it is "plugin descriptor" that contains unwanted artifacts - added new check that "checks reality", the plugin resolved dependencies So, now messages on JDBI project look like this (two examples): [WARNING] * org.asciidoctor:asciidoctor-maven-plugin:2.2.3 [WARNING] Declared at location(s): [WARNING] * org.jdbi:jdbi3-docs:3.38.3-SNAPSHOT (docs/pom.xml) @ line 270 [WARNING] Used in module(s): [WARNING] * org.jdbi:jdbi3-docs:3.38.3-SNAPSHOT (docs/pom.xml) [WARNING] Plugin issue(s): [WARNING] * Plugin should declare these Maven artifacts in `provided` scope: [org.apache.maven:maven-core:3.0.5, org.apache.maven:maven-plugin-api:3.0.5] [WARNING] * Plugin descriptor should not contain these Maven artifacts: [org.apache.maven:maven-model-builder:3.0.5, org.apache.maven:maven-core:3.0.5, org.apache.maven:maven-plugin-api:3.0.5, org.apache.maven:maven-model:3.0.5, org.apache.maven:maven-settings:3.0.5, org.apache.maven:maven-artifact:3.0.5, org.apache.maven:maven-repository-metadata:3.0.5, org.apache.maven:maven-aether-provider:3.0.5, org.apache.maven:maven-settings-builder:3.0.5] [WARNING] * Plugin depends on plexus-container-default, which is EOL [WARNING] [WARNING] * org.basepom.maven:inline-maven-plugin:1.0.1 [WARNING] Declared at location(s): [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) @ line 145 [WARNING] Used in module(s): [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) [WARNING] Plugin issue(s): [WARNING] * Plugin descriptor should not contain these Maven artifacts: [org.apache.maven:maven-artifact:3.8.4, org.apache.maven:maven-settings-builder:3.8.4, org.apache.maven:maven-repository-metadata:3.8.4, org.apache.maven:maven-builder-support:3.8.4, org.apache.maven:maven-core:3.8.4, org.apache.maven:maven-resolver-provider:3.8.4, org.apache.maven:maven-settings:3.8.4, org.apache.maven:maven-plugin-api:3.8.4, org.apache.maven:maven-model-builder:3.8.4, org.apache.maven:maven-model:3.8.4] Problems of asciidoctor-maven-plugin:2.2.3: 1. does not declare scopes properly: https://github.com/asciidoctor/asciidoctor-maven-plugin/blob/asciidoctor-maven-plugin-2.2.3/pom.xml#L108-L117 2. plugin descriptor (META-INF/maven/plugin.xml) really contains all the listed artifacts, reason is problem in bullet 1: they are not in provided, hence in descriptor full transitive hull is present Problems of inline-maven-plugin:1.0.1 1. descriptor contains WAY TOO MANY artifacts (due MPLUGIN-382) Thanks T On Fri, May 19, 2023 at 10:22 AM Tamás Cservenák <ta...@cservenak.net> wrote: > Henning, your do have open option to go: > > in inline-maven-project upgrade (buggy) maven-plugin-plugin 3.6.2 (suffers > from https://issues.apache.org/jira/browse/MPLUGIN-382) to a more recent > one. > > OTOH, this issue revealed a validation issue: > - it relies on pluginDescriptor/dependencies to perform validation (that > contains wrong entries due MPLUGIN-382) > - we may want to validate the "reality" (plugin POM directly, instead of > derived plugin descriptor that is built out of plugin POM at build time by > maven-plugin-plugin, that may have bug as in this case) > > So, in this case we have an interesting situation: > - your inline project POM is good > - what is not good is bug in used m-plugin-p 3.6.2 (produces wrong plugin > descriptor) > - Maven 3.9.2 detects this (well, unwanted artifacts in there) and reports > "plugin as wrong" > > Your option is to upgrade m-plugin-p to (possibly latest) version and > release. > > Our option for the next Maven is probably to reconsider the data set we > validate from. > > Thanks > T > > > > On Fri, May 19, 2023 at 7:28 AM Henning Schmiedehausen < > henn...@schmiedehausen.org> wrote: > >> From maven 3.9.2: >> >> [WARNING] * org.basepom.maven:inline-maven-plugin:1.0.1 >> [WARNING] Declared at location(s): >> [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) @ line >> 145 >> [WARNING] Used in module(s): >> [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) >> [WARNING] Plugin issue(s): >> [WARNING] * Plugin should declare these Maven artifacts in `*provided*` >> scope: [ >> org.apache.maven:maven-artifact:3.8.4, >> org.apache.maven:maven-settings-builder:3.8.4, >> org.apache.maven:maven-repository-metadata:3.8.4, >> org.apache.maven:maven-builder-support:3.8.4, >> org.apache.maven:maven-core:3.8.4, >> org.apache.maven:maven-resolver-provider:3.8.4, >> org.apache.maven:maven-settings:3.8.4, >> org.apache.maven:maven-plugin-api:3.8.4, >> org.apache.maven:maven-model-builder:3.8.4, >> org.apache.maven:maven-model:3.8.4] >> >> >> From the plugin project itself, on the 1.0.1 tag: >> >> ❯ mvn dependency:list -pl :inline-maven-plugin | grep provided | sort >> [...] >> [INFO] org.apache.maven:maven-artifact:jar:3.8.4:*provided* -- module >> maven.artifact (auto) >> [INFO] org.apache.maven:maven-builder-support:jar:3.8.4:*provided* -- >> module maven.builder.support (auto) >> [INFO] org.apache.maven:maven-core:jar:3.8.4:*provided* -- module >> maven.core (auto) >> [INFO] org.apache.maven:maven-model-builder:jar:3.8.4:*provided* -- >> module maven.model.builder (auto) >> [INFO] org.apache.maven:maven-model:jar:3.8.4:*provided* -- module >> maven.model (auto) >> [INFO] org.apache.maven:maven-plugin-api:jar:3.8.4:*provided* -- module >> maven.plugin.api (auto) >> [INFO] org.apache.maven:maven-repository-metadata:jar:3.8.4:*provided* >> -- module maven.repository.metadata (auto) >> [INFO] org.apache.maven:maven-resolver-provider:jar:3.8.4:*provided* -- >> module maven.resolver.provider (auto) >> [INFO] org.apache.maven:maven-settings-builder:jar:3.8.4:*provided* -- >> module maven.settings.builder (auto) >> [INFO] org.apache.maven:maven-settings:jar:3.8.4:*provided* -- module >> maven.settings (auto) >> [...] >> >> Sorry, folks, I got nothing. >> >> Maven 3.9.2 complains that the inline plugin needs to declare >> <dependencies> in *provided* scope. A build user might report that to >> their >> build engineer or report it to the plugin author. >> >> As the plugin author, my plugin in the version 1.0.1 *DOES* declare every >> single dependency that maven warns about in *provided* scope. >> >> There is literally *nothing* that I can do. Neither as build user, nor as >> build engineer, nor as plugin author. >> >> I don't get it. What *is* the point? Really interested to learn *why* the >> maven team has chosen to go down this path. >> >> -h >> >
