NO-ISSUE: Maven plugins update #2819
Conversation
|
@yesamer I guess I didn't write this anywhere, but the idea of managing the versions of Maven plugins ourselves is to have more control over patches that may contain security fixes. If we delegate it to the Apache parent we may find ourselves in a position of having to declare them anyway to fix something that the Apache parent hasn't. |
|
@tiagobento Well, at the moment a CVE is detected in any plugin version, we can temporarily override. I guess that is a good compromise on having the same plugin versions used anywhere and keeping them updated. |
| <version.maven.deploy.plugin>3.1.2</version.maven.deploy.plugin> | ||
| <version.maven.failsafe.plugin>${version.maven.surefire.plugin}</version.maven.failsafe.plugin> |
There was a problem hiding this comment.
hm, this sounds a little bit non-standard to me, is that intentional to combine failsafe and surefire versions? furthermore version.maven.failsafe.plugin seems to be unused
There was a problem hiding this comment.
@jomarko Yes, that's correct. failsafe and surefire have the same release cycle. apache pom manages that in the same way: https://repo.maven.apache.org/maven2/org/apache/apache/32/apache-32.pom
| <version.dependency.plugin>3.3.0</version.dependency.plugin> | ||
| <version.deploy.plugin>2.8.2</version.deploy.plugin> | ||
| <version.enforcer.plugin>3.1.0</version.enforcer.plugin> | ||
| <version.checkstyle.plugin>3.4.0</version.checkstyle.plugin> |
There was a problem hiding this comment.
is expected dashbuilder overrides to 3.1.1? I think preferred would be single version everywhere if possible
There was a problem hiding this comment.
I purposely didn't touch dashbuilder because is not a project under our control, however, I can do a tentative
There was a problem hiding this comment.
@jomarko Updated versions in dashbuilder as well, thank you!
| <version.deploy.plugin>2.8.2</version.deploy.plugin> | ||
| <version.enforcer.plugin>3.1.0</version.enforcer.plugin> | ||
| <version.checkstyle.plugin>3.4.0</version.checkstyle.plugin> | ||
| <version.clean.plugin>3.4.0</version.clean.plugin> |
| <version.enforcer.plugin>3.1.0</version.enforcer.plugin> | ||
| <version.checkstyle.plugin>3.4.0</version.checkstyle.plugin> | ||
| <version.clean.plugin>3.4.0</version.clean.plugin> | ||
| <version.compiler.plugin>3.13.0</version.compiler.plugin> |
| <version.compiler.plugin>3.13.0</version.compiler.plugin> | ||
| <version.dependency.plugin>3.7.1</version.dependency.plugin> | ||
| <version.deploy.plugin>3.1.2</version.deploy.plugin> | ||
| <version.enforcer.plugin>3.5.0</version.enforcer.plugin> |
| <version.failsafe.plugin>${version.surefire.plugin}</version.failsafe.plugin> | ||
| <version.install.plugin>2.5.2</version.install.plugin> | ||
| <version.install.plugin>3.1.2</version.install.plugin> |
There was a problem hiding this comment.
version misalignment is also for:
version.maven.artifact.pluginversion.resources.pluginversion.site.pluginversion.surefire.pluginversion.war.plugin
|
@tiagobento I checked the CVE history of all declared plugins in Apache parent pom. |
|
@yesamer Problems are often in transitive dependencies... |
|
@tiagobento Even in such a case, those dependencies are not transitively imported in the production code, as the dependencies imported by the plugin are used during its own compile time only. |
In this PR: