[ANN] Apache Maven 3.8.1 Released

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[ANN] Apache Maven 3.8.1 Released

rfscholte
The Apache Maven team is pleased to announce the release of the Apache Maven 3.8.1

Apache Maven is a software project management and comprehension tool. Based on the concept
of a project object model (POM), Maven can manage a project's build, reporting and documentation
from a central piece of information.

Maven 3.8.1 is available via https://maven.apache.org/download.cgi

The core release is independent of plugin releases. Further releases of plugins will be made
separately.

If you have any questions, please consult:

- the web site: https://maven.apache.org/
- the maven-user mailing list: https://maven.apache.org/mailing-lists.html
- the reference documentation: https://maven.apache.org/ref/3.8.1/

RELEASE DETAILS

This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh and Olaf Flebbe.

One of the changes that might impact your builds is the way custom repositories defined in dependency POMs will be handled.
By default external insecure repositories will now be blocked (localhost over HTTP will still work).
Configuration can be adjusted via the conf/settings.xml.

Release Notes - Maven - Version 3.8.1

** Bug

    * [MNG-7128] - improve error message when blocked repository defined in build POM

** New Feature

    * [MNG-7116] - Add support for mirror selector on external:http:*
    * [MNG-7117] - Add support for blocking mirrors
    * [MNG-7118] - Block external HTTP repositories by default

** Dependency upgrade
    * [MNG-7119] - Upgrade Maven Wagon to 3.4.3
    * [MNG-7123] - Upgrade Maven Resolver to 1.6.2

For more information read https://maven.apache.org/docs/3.8.1/release-notes.html

Enjoy!

- The Maven Team
Reply | Threaded
Open this post in threaded view
|

Re: [ANN] Apache Maven 3.8.1 Released

John Patrick
Does the Maven Wrapper need to be release/upgraded at the same time as
core Maven?

I was using takari maven wrapper, so did this to upgrade;
$ ./mvnw -N io.takari:maven:0.7.7:wrapper -Dmaven=3.8.1

From what I can tell everything still works with Takari v0.7.7 and Maven v3.8.1.

I then wanted to switch to Maven Wrapper as this was down for a Maven
v3.7.0 release as per
(https://maven.apache.org/plugins/maven-wrapper-plugin/index.html).

So I did this as documented here
(https://maven.apache.org/plugins/maven-wrapper-plugin/wrapper-mojo.html)
and get the following missing dependency;
$ ./mvnw org.apache.maven.plugins:maven-wrapper-plugin:3.0.1:wrapper
...
[INFO] --- maven-wrapper-plugin:3.0.1:wrapper (default-cli) @ PROJECT ---
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven-wrapper/3.8.1/apache-maven-wrapper-3.8.1.pom
[WARNING] The POM for
org.apache.maven:apache-maven-wrapper:zip:script:3.8.1 is missing, no
dependency information available
Downloading from central:
https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven-wrapper/3.8.1/apache-maven-wrapper-3.8.1-script.zip
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.678 s
[INFO] Finished at: 2021-04-05T11:12:02+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-wrapper-plugin:3.0.1:wrapper
(default-cli) on project PROJECT: Could not find artifact
org.apache.maven:apache-maven-wrapper:zip:script:3.8.1 in central
(https://repo.maven.apache.org/maven2) -> [Help 1]
$

Because it's got a 3.8.1 version number I would assume it should be
release at the same time as core Maven.

John

On Sun, 4 Apr 2021 at 19:14, Robert Scholte <[hidden email]> wrote:

>
> The Apache Maven team is pleased to announce the release of the Apache Maven 3.8.1
>
> Apache Maven is a software project management and comprehension tool. Based on the concept
> of a project object model (POM), Maven can manage a project's build, reporting and documentation
> from a central piece of information.
>
> Maven 3.8.1 is available via https://maven.apache.org/download.cgi
>
> The core release is independent of plugin releases. Further releases of plugins will be made
> separately.
>
> If you have any questions, please consult:
>
> - the web site: https://maven.apache.org/
> - the maven-user mailing list: https://maven.apache.org/mailing-lists.html
> - the reference documentation: https://maven.apache.org/ref/3.8.1/
>
> RELEASE DETAILS
>
> This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh and Olaf Flebbe.
>
> One of the changes that might impact your builds is the way custom repositories defined in dependency POMs will be handled.
> By default external insecure repositories will now be blocked (localhost over HTTP will still work).
> Configuration can be adjusted via the conf/settings.xml.
>
> Release Notes - Maven - Version 3.8.1
>
> ** Bug
>
>     * [MNG-7128] - improve error message when blocked repository defined in build POM
>
> ** New Feature
>
>     * [MNG-7116] - Add support for mirror selector on external:http:*
>     * [MNG-7117] - Add support for blocking mirrors
>     * [MNG-7118] - Block external HTTP repositories by default
>
> ** Dependency upgrade
>     * [MNG-7119] - Upgrade Maven Wagon to 3.4.3
>     * [MNG-7123] - Upgrade Maven Resolver to 1.6.2
>
> For more information read https://maven.apache.org/docs/3.8.1/release-notes.html
>
> Enjoy!
>
> - The Maven Team

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]