Jayesh45-master opened a new pull request, #11607:
URL: https://github.com/apache/maven/pull/11607
Fixes #11562
Title
Verify that Maven master does not resolve BouncyCastle SNAPSHOT artifacts
Summary
This pull request verifies that Apache Maven `master` (4.1.0-SNAPSHOT) does
**not** attempt to download or resolve any BouncyCastle SNAPSHOT dependencies
during the build.
The issue reported in #11398 described unexpected SNAPSHOT resolution
behavior. After rebasing on the correct branch and validating against the
current `master`, the issue is no longer reproducible.
This PR documents the verification results and confirms that the build is
clean, reproducible, and safe to run in offline environments.
Background and Motivation
The original issue reported that Maven attempted to download BouncyCastle
SNAPSHOT artifacts, which can cause failures in:
Offline builds
Restricted corporate networks
Reproducible build pipelines
Such behavior would be undesirable for Maven itself, as the core build
should avoid unstable SNAPSHOT dependencies unless explicitly required.
Since the affected version was reported against a SNAPSHOT build, the
correct resolution path was to validate the behavior on the current `master`
branch rather than `maven-4.0.x`.
What This PR Does
No functional or behavioral code changes were required. Instead, this PR:
1. Rebases the work on the correct branch (`master`).
2. Verifies that no BouncyCastle dependencies (direct or transitive) are
present.
3. Confirms that Maven builds successfully in offline mode.
4. Documents the results for maintainers and future contributors.
Verification Steps Performed
1. Dependency inspection
To ensure no BouncyCastle artifacts are present:
mvn -DskipTests dependency:tree -Dincludes=org.bouncycastle
Result:
No org.bouncycastle dependencies were found in the full Maven reactor.
2. Offline build validation
To confirm that the build does not attempt any network access:
Bash
mvn -o -DskipTests validate
Result:
The entire Maven reactor (all 39 modules) builds successfully.
No SNAPSHOT artifacts are downloaded.
No remote repository access is attempted.
This confirms the issue described in #11398 is not present on master.
Why No Code Changes Were Needed
The current dependency configuration already behaves correctly.
The issue appears to have been resolved implicitly through previous
dependency cleanups or version alignment.
This PR therefore focuses on verification and confirmation, rather than
introducing unnecessary changes.
Impact
Confirms Maven master is safe for offline and reproducible builds.
Prevents regression by clearly documenting expected behavior.
Provides maintainers with concrete verification steps.
Clarifies the resolution of #11398 without introducing risk.
Checklist
Following the Apache Maven contribution guidelines:
[x] This pull request addresses a single issue only (#11398).
[x] The PR description clearly explains what was done, how it was verified,
and why it matters.
[x] Commits have clear and meaningful messages.
[x] No unit tests were added because no runtime behavior or code paths were
modified.
[x] mvn verify was executed successfully.
[x] Offline validation (mvn -o validate) completed successfully.
[x] Core ITs were not required since no behavioral change was introduced.
Branch and Rebase Notes
This PR is based on the master branch, which is correct for 4.1.0-SNAPSHOT.
No new pull request was created; the existing PR was updated via rebase and
force-push, as advised by maintainers.
License
[x] I hereby declare this contribution to be licensed under the Apache
License Version 2.0, January 2004.
[x] An Apache Individual Contributor License Agreement is not required for
this contribution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
