类型为maven-archetype的项目尝试下载plexus-tools:1.1

Question

我有一个简单的原型项目。当使用甚至mvn clean时，它试图下载plexus-utils:1.1，由于漏洞，这在我公司的repo中是被禁止的。

我已经检查了对这个版本的依赖关系的各种工件，但没有找到。我能找到的唯一依赖是plexus-utils:3.2.0。

在我的个人笔记本电脑上，如果我从本地存储库中删除plexus-utils的所有版本，它会先下载1.1，然后再下载其他版本(用于干净的插件或原型插件等)。

谁能帮我弄清楚为什么它要下载这个版本的plexus？

pom.xml

...
    <packaging>maven-archetype</packaging>
...

    <build>
        <extensions>
            <extension>
                <groupId>org.apache.maven.archetype</groupId>
                <artifactId>archetype-packaging</artifactId>
                <version>3.1.2</version>
            </extension>
        </extensions>

        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-archetype-plugin</artifactId>
                    <version>3.1.2</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>
</project>

mvn -X清理的结果

Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T19:41:47+01:00)
Maven home: C:\no-space-paths\apache-maven-3.6.0\bin\..
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_192\jre
Default locale: en_GB, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
[DEBUG] Created new class realm maven.api
[DEBUG] Importing foreign packages into class realm maven.api
[DEBUG]   Imported: javax.annotation.* < plexus.core

... snip ...

[DEBUG]   Imported: org.codehaus.classworlds < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.* < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.classworlds < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.component < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.configuration < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.container < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.context < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.lifecycle < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.logging < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.personality < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.Xpp3Dom < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlPullParser < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlPullParserException < plexus.core
[DEBUG]   Imported: org.codehaus.plexus.util.xml.pull.XmlSerializer < plexus.core
[DEBUG]   Imported: org.eclipse.aether.* < plexus.core

... snip ...

[DEBUG]   Imported: org.slf4j.spi.* < plexus.core
[DEBUG] Populating class realm maven.api
[INFO] Error stacktraces are turned on.

... snip ...

[INFO] Scanning for projects...
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=759600, ConflictMarker.markTime=341900, ConflictMarker.nodeCount=1, ConflictIdSorter.graphTime=804800, ConflictIdSorter.topsortTime=613100, ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=3014800, ConflictResolver.conflictItemCount=1, DefaultDependencyCollector.collectTime=63887200, DefaultDependencyCollector.transformTime=8607800}
[DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
[DEBUG]    org.codehaus.plexus:plexus-utils:jar:1.1:runtime
[DEBUG] Using transporter WagonTransporter with priority -1.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2
Downloading from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar
Downloaded from central: https://repo.maven.apache.org/maven2/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar (169 kB at 218 kB/s)

... snip (downloads as normal) ...

[DEBUG] Created new class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG] Importing foreign packages into class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG]   Imported:  < maven.api
[DEBUG] Populating class realm extension>org.apache.maven.archetype:archetype-packaging:3.1.2
[DEBUG]   Included: org.apache.maven.archetype:archetype-packaging:jar:3.1.2
[DEBUG]   Included: org.codehaus.plexus:plexus-utils:jar:1.1
[DEBUG] Extension realms for project test:test:maven-archetype:0.0.1-SNAPSHOT: [ClassRealm[extension>org.apache.maven.archetype:archetype-packaging:3.1.2, parent: sun.misc.Launcher$AppClassLoader@4e25154f]]
[DEBUG] Created new class realm project>test:test:0.0.1-SNAPSHOT
[DEBUG] Populating class realm project>test:test:0.0.1-SNAPSHOT
[DEBUG]   Included: org.apache.maven.archetype:archetype-packaging:jar:3.1.2

企业版失败，因为它不能下载plexus-utils:1.1。这一切都是在它真正开始处理干净的目标之前。

因此，出于某种原因，它解决了原型包装的依赖关系，并决定它需要plexus-utils:1.1。:runtime在依赖项列表中是什么意思？--编辑后说，我可以看到:runtime必须是依赖项的作用域，但没有在任何地方声明它。

但是如果我看一下原型包装，pom或jar中没有任何东西告诉我它应该使用plexus:1.1。

archetype-packaging-3.1.2.pom

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <parent>
    <groupId>org.apache.maven.archetype</groupId>
    <artifactId>maven-archetype</artifactId>
    <version>3.1.2</version>
  </parent>

  <artifactId>archetype-packaging</artifactId>

  <name>Maven Archetype Packaging</name>
  <description>'maven-archetype' packaging configuration for archetypes.</description>

</project>

maven-archetype-3.1.2.pom

  <dependencyManagement>

... snip ...

      <dependency>
        <groupId>org.codehaus.plexus</groupId>
        <artifactId>plexus-utils</artifactId>
        <version>3.2.0</version>
      </dependency>
...

实际上，原型打包jar文件中唯一的东西就是plexus\components.xml。我认为它可能在这里，但从依赖集合中没有迹象表明它正在使用其中的任何一个，也没有指定干净的目标。

<?xml version="1.0" encoding="UTF-8"?>
<component-set>
  <components>
    <component>
      <role>org.apache.maven.lifecycle.mapping.LifecycleMapping</role>
      <role-hint>maven-archetype</role-hint>
      <implementation>org.apache.maven.lifecycle.mapping.DefaultLifecycleMapping</implementation>
      <configuration>
        
        <phases>
          <process-resources>org.apache.maven.plugins:maven-resources-plugin:resources</process-resources>
          <process-test-resources>org.apache.maven.plugins:maven-resources-plugin:testResources</process-test-resources>
          <package>org.apache.maven.plugins:maven-archetype-plugin:jar</package>
          <integration-test>org.apache.maven.plugins:maven-archetype-plugin:integration-test</integration-test>
          <install>org.apache.maven.plugins:maven-install-plugin:install,
            org.apache.maven.plugins:maven-archetype-plugin:update-local-catalog
          </install>
          
          <deploy>org.apache.maven.plugins:maven-deploy-plugin:deploy</deploy>
        </phases>
        
      </configuration>
    </component>

    <component>
      <role>org.apache.maven.artifact.handler.ArtifactHandler</role>
      <role-hint>maven-archetype</role-hint>
      <implementation>org.apache.maven.artifact.handler.DefaultArtifactHandler</implementation>
      <configuration>
        <type>maven-archetype</type>
        <extension>jar</extension>
        <packaging>maven-archetype</packaging>
      </configuration>
    </component>

  </components>
</component-set>

Answer 1

事实证明，这是Maven3与Maven2兼容的(有些模糊的)功能。任何插件(或扩展)如果没有声明对plexus的显式依赖，将会有一个对plexus的隐式依赖:增加了1.1。

你可以在这里看到我对这个决定的看法：archetype-packaging.jar:3.1.2 requires org.codehaus.plexus:plexus-utils:jar:1.1