I think the warnings in general have thus far been a good thing. The level of plugins reacting now and people reporting issues is very clear. I'd suspect this to die down in next month or two as these flush themselves out and really maven 3.9.x is all about journey to maven 4 so this IMO is kind of expected noise for the most part. There are definitely some improvements to be had in general though.
-----Original Message----- From: Tamás Cservenák <ta...@cservenak.net> Sent: Friday, May 19, 2023 5:44 AM To: Maven Developers List <dev@maven.apache.org> Subject: Re: maven 3.9.x warnings FTR, issue (and PR linked to it) https://issues.apache.org/jira/browse/MNG-7786 On Fri, May 19, 2023 at 11:35 AM Tamás Cservenák <ta...@cservenak.net> wrote: > Howdy, > > So, have a small local change, probably to go with 3.9.3. > > changes: > - message modified, it is now clear that it is "plugin descriptor" > that contains unwanted artifacts > - added new check that "checks reality", the plugin resolved > dependencies > > So, now messages on JDBI project look like this (two examples): > > [WARNING] * org.asciidoctor:asciidoctor-maven-plugin:2.2.3 > [WARNING] Declared at location(s): > [WARNING] * org.jdbi:jdbi3-docs:3.38.3-SNAPSHOT (docs/pom.xml) @ line > 270 > [WARNING] Used in module(s): > [WARNING] * org.jdbi:jdbi3-docs:3.38.3-SNAPSHOT (docs/pom.xml) > [WARNING] Plugin issue(s): > [WARNING] * Plugin should declare these Maven artifacts in `provided` > scope: [org.apache.maven:maven-core:3.0.5, > org.apache.maven:maven-plugin-api:3.0.5] > [WARNING] * Plugin descriptor should not contain these Maven artifacts: > [org.apache.maven:maven-model-builder:3.0.5, > org.apache.maven:maven-core:3.0.5, > org.apache.maven:maven-plugin-api:3.0.5, > org.apache.maven:maven-model:3.0.5, > org.apache.maven:maven-settings:3.0.5, > org.apache.maven:maven-artifact:3.0.5, > org.apache.maven:maven-repository-metadata:3.0.5, > org.apache.maven:maven-aether-provider:3.0.5, > org.apache.maven:maven-settings-builder:3.0.5] > [WARNING] * Plugin depends on plexus-container-default, which is EOL > [WARNING] > [WARNING] * org.basepom.maven:inline-maven-plugin:1.0.1 > [WARNING] Declared at location(s): > [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) @ line > 145 > [WARNING] Used in module(s): > [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) > [WARNING] Plugin issue(s): > [WARNING] * Plugin descriptor should not contain these Maven artifacts: > [org.apache.maven:maven-artifact:3.8.4, > org.apache.maven:maven-settings-builder:3.8.4, > org.apache.maven:maven-repository-metadata:3.8.4, > org.apache.maven:maven-builder-support:3.8.4, > org.apache.maven:maven-core:3.8.4, > org.apache.maven:maven-resolver-provider:3.8.4, > org.apache.maven:maven-settings:3.8.4, > org.apache.maven:maven-plugin-api:3.8.4, > org.apache.maven:maven-model-builder:3.8.4, > org.apache.maven:maven-model:3.8.4] > > Problems of asciidoctor-maven-plugin:2.2.3: > 1. does not declare scopes properly: > https://githu/ > b.com%2Fasciidoctor%2Fasciidoctor-maven-plugin%2Fblob%2Fasciidoctor-ma > ven-plugin-2.2.3%2Fpom.xml%23L108-L117&data=05%7C01%7C%7Cb5a8f5bb7b844 > cd2570308db584da53f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63820 > 0862731215175%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2lu > MzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SYt1ID9TOd8rW > z2wrFGoIroD37NUNbmJmla%2Fyjo6g1M%3D&reserved=0 > 2. plugin descriptor (META-INF/maven/plugin.xml) really contains all > the listed artifacts, reason is problem in bullet 1: they are not in > provided, hence in descriptor full transitive hull is present > > Problems of inline-maven-plugin:1.0.1 > 1. descriptor contains WAY TOO MANY artifacts (due MPLUGIN-382) > > > Thanks > T > > On Fri, May 19, 2023 at 10:22 AM Tamás Cservenák <ta...@cservenak.net> > wrote: > >> Henning, your do have open option to go: >> >> in inline-maven-project upgrade (buggy) maven-plugin-plugin 3.6.2 >> (suffers from >> https://issues.apache.org/jira/browse/MPLUGIN-382) to a more recent one. >> >> OTOH, this issue revealed a validation issue: >> - it relies on pluginDescriptor/dependencies to perform validation >> (that contains wrong entries due MPLUGIN-382) >> - we may want to validate the "reality" (plugin POM directly, instead >> of derived plugin descriptor that is built out of plugin POM at build >> time by maven-plugin-plugin, that may have bug as in this case) >> >> So, in this case we have an interesting situation: >> - your inline project POM is good >> - what is not good is bug in used m-plugin-p 3.6.2 (produces wrong >> plugin >> descriptor) >> - Maven 3.9.2 detects this (well, unwanted artifacts in there) and >> reports "plugin as wrong" >> >> Your option is to upgrade m-plugin-p to (possibly latest) version and >> release. >> >> Our option for the next Maven is probably to reconsider the data set >> we validate from. >> >> Thanks >> T >> >> >> >> On Fri, May 19, 2023 at 7:28 AM Henning Schmiedehausen < >> henn...@schmiedehausen.org> wrote: >> >>> From maven 3.9.2: >>> >>> [WARNING] * org.basepom.maven:inline-maven-plugin:1.0.1 >>> [WARNING] Declared at location(s): >>> [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) @ line >>> 145 >>> [WARNING] Used in module(s): >>> [WARNING] * org.jdbi:jdbi3-core:3.38.3-SNAPSHOT (core/pom.xml) >>> [WARNING] Plugin issue(s): >>> [WARNING] * Plugin should declare these Maven artifacts in >>> `*provided*` >>> scope: [ >>> org.apache.maven:maven-artifact:3.8.4, >>> org.apache.maven:maven-settings-builder:3.8.4, >>> org.apache.maven:maven-repository-metadata:3.8.4, >>> org.apache.maven:maven-builder-support:3.8.4, >>> org.apache.maven:maven-core:3.8.4, >>> org.apache.maven:maven-resolver-provider:3.8.4, >>> org.apache.maven:maven-settings:3.8.4, >>> org.apache.maven:maven-plugin-api:3.8.4, >>> org.apache.maven:maven-model-builder:3.8.4, >>> org.apache.maven:maven-model:3.8.4] >>> >>> >>> From the plugin project itself, on the 1.0.1 tag: >>> >>> ❯ mvn dependency:list -pl :inline-maven-plugin | grep provided | >>> sort [...] >>> [INFO] org.apache.maven:maven-artifact:jar:3.8.4:*provided* -- module >>> maven.artifact (auto) >>> [INFO] org.apache.maven:maven-builder-support:jar:3.8.4:*provided* -- >>> module maven.builder.support (auto) >>> [INFO] org.apache.maven:maven-core:jar:3.8.4:*provided* -- module >>> maven.core (auto) >>> [INFO] org.apache.maven:maven-model-builder:jar:3.8.4:*provided* -- >>> module maven.model.builder (auto) >>> [INFO] org.apache.maven:maven-model:jar:3.8.4:*provided* -- module >>> maven.model (auto) >>> [INFO] org.apache.maven:maven-plugin-api:jar:3.8.4:*provided* -- >>> module >>> maven.plugin.api (auto) >>> [INFO] org.apache.maven:maven-repository-metadata:jar:3.8.4:*provided* >>> -- module maven.repository.metadata (auto) >>> [INFO] org.apache.maven:maven-resolver-provider:jar:3.8.4:*provided* >>> -- >>> module maven.resolver.provider (auto) >>> [INFO] org.apache.maven:maven-settings-builder:jar:3.8.4:*provided* -- >>> module maven.settings.builder (auto) >>> [INFO] org.apache.maven:maven-settings:jar:3.8.4:*provided* -- module >>> maven.settings (auto) >>> [...] >>> >>> Sorry, folks, I got nothing. >>> >>> Maven 3.9.2 complains that the inline plugin needs to declare >>> <dependencies> in *provided* scope. A build user might report that >>> to their build engineer or report it to the plugin author. >>> >>> As the plugin author, my plugin in the version 1.0.1 *DOES* declare >>> every single dependency that maven warns about in *provided* scope. >>> >>> There is literally *nothing* that I can do. Neither as build user, >>> nor as build engineer, nor as plugin author. >>> >>> I don't get it. What *is* the point? Really interested to learn >>> *why* the maven team has chosen to go down this path. >>> >>> -h >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
