Path to this page:
Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/devel/apache-maven
From: Thomas Merkel
Date: 2021-10-16 22:29:42
Message id: 20211016202942.E3E7DFA94@cvs.NetBSD.org
Log Message:
Pullup ticket #6518 - requested by wiz
devel/apache-maven: security fix
Revisions pulled up:
- devel/apache-maven/Makefile 1.18
- devel/apache-maven/PLIST 1.12
- devel/apache-maven/distinfo 1.20
- devel/apache-maven/patches/patch-bin_mvn 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Oct 8 15:08:21 UTC 2021
Modified Files:
pkgsrc/devel/apache-maven: Makefile PLIST distinfo
pkgsrc/devel/apache-maven/patches: patch-bin_mvn
Log Message:
apache-maven: update to 3.8.3.
3.8.3
** Bug
* [MNG-7045] - Drop CDI API from Maven
* [MNG-7214] - Bad transitive dependency parent from CDI API
* [MNG-7215] - [Regression] Maven Site Plugin cannot resolve parent site \
descriptor without locale
* [MNG-7216] - Revert MNG-7170
* [MNG-7218] - [Regression] o.a.m.model.Build.getSourceDirectory() \
incorrectly returns absolute dir on 3.8.2
* [MNG-7219] - [Regression] plexus-cipher missing from transitive \
dependencies
* [MNG-7220] - [REGRESSION] test-classpath incorrectly resolved
* [MNG-7251] - Fix threadLocalArtifactsHolder leaking into cloned project
* [MNG-7253] - Relocation message is never shown
** New Feature
* [MNG-7164] - Add constructor MojoExecutionException(Throwable)
** Improvement
* [MNG-7235] - Speed improvements when calculating the sorted project graph
* [MNG-7236] - The DefaultPluginVersionResolver should cache results for \
the session
** Task
* [MNG-7252] - Fix warnings issued by dependency:analyze
* [MNG-7254] - Expand Windows native libraries for Jansi due to \
JDK-8195129 (workaround)
3.8.2
** Sub-task
* [MNG-6281] - ArrayIndexOutOfBoundsException caused by pom.xml with \
invalid/duplicate XML
** Bug
* [MNG-4706] - Multithreaded building can create bad files for \
downloaded artifacts in local repository
* [MNG-5307] - NPE during resolution of dependencies - parallel mode
* [MNG-5315] - Artifact resolution sporadically fails in parallel builds
* [MNG-5838] - Maven on No-File-Lock Systems
* [MNG-5868] - Adding serval times the same artifact via \
MavenProjectHelper (attachArtifact) keep adding to the List duplicate artifacts
* [MNG-6071] - GetResource ('/) returns 'null' if build is started with -f
* [MNG-6216] - ArrayIndexOutOfBoundsException when parsing POM
* [MNG-6239] - Jansi messes up System.err and System.out
* [MNG-6380] - Option -Dstyle.color=always doesn't force color output
* [MNG-6604] - Intermittent failures while downloading GAVs from Nexus
* [MNG-6648] - 'mavenrc_pre' script does not receive arguments like \
mavenrc in Bourne shell does
* [MNG-6719] - mvn color output escape keys w/ "| tee xxx.log" \
on Win with git/bash
* [MNG-6737] - StackOverflowError when version ranges are unsolvable and \
graph contains a cycle
* [MNG-6767] - Plugin with ${project.groupId} resolved improperly
* [MNG-6819] - NullPointerException for \
DefaultArtifactDescriptorReader.loadPom
* [MNG-6828] - DependencyResolutionException breaks serialization
* [MNG-6842] - ProjectBuilderTest uses Guava, but Guava is not defined \
in dependencies
* [MNG-6843] - Parallel build fails due to missing JAR artifacts in \
compilePath
* [MNG-6850] - Prevent printing the EXEC_DIR when it's just a disk letter
* [MNG-6921] - Maven compile with properties ${artifactId} and \
${project.build.finalName} occurs java.lang.NullPointerException
* [MNG-6937] - StringSearchModelInterpolatorTest fails on symlinked paths
* [MNG-6964] - Maven version sorting is internally inconsistent
* [MNG-6983] - Plugin key can get out of sync with artifactId and groupId
* [MNG-7000] - metadata.mdo contains invalid link to schema
* [MNG-7032] - Option -B still showing formatting when used with --version
* [MNG-7034] - StackOverflowError thrown if a cycle exists in BOM imports
* [MNG-7090] - mvnDebug does not work on Java 11+
* [MNG-7127] - NullPointerException in MavenCliTest.testStyleColors in JDK 16
* [MNG-7155] - make sources jar reproducible (upgrade \
maven-source-plugin to 3.2.1)
* [MNG-7161] - Error thrown during uninstalling of JAnsi
** New Feature
* [MNG-7149] - Introduce MAVEN_DEBUG_ADDRESS in mvnDebug scripts
** Improvement
* [MNG-2802] - Concurrent-safe access to local Maven repository
* [MNG-6471] - Parallel builder should use the module name as thread name
* [MNG-6754] - Set the same timestamp in multi module builds
* [MNG-6810] - Remove profiles in maven-model
* [MNG-6811] - Remove unnecessary filtering configuration
* [MNG-6816] - Prefer System.lineSeparator() over system properties
* [MNG-6827] - Replace deprecated StringUtils#defaultString() from \
Plexus Utils
* [MNG-6837] - Simplify detection of the MAVEN_HOME and make it fully \
qualified on Windows
* [MNG-6844] - Use StandardCharsets and remove outdated @SuppressWarnings
* [MNG-6853] - Don't box primitives where it's not needed
* [MNG-6859] - Build not easily reproducible when built from source \
release archive
* [MNG-6873] - Inconsistent library versions notice
* [MNG-6967] - Improve the command line output from maven-artifact
* [MNG-6987] - Reorder groupId before artifactId when writing an \
exclusion using maven-model
* [MNG-7010] - Omit "NB: JAVA_HOME should point to a JDK not a \
JRE" except when that is the problem
* [MNG-7064] - Use HTTPS for schema location in global settings.xml
* [MNG-7080] - Add a --color option
* [MNG-7170] - Allow to associate pomFile/${basedir} with \
DefaultProjectBuilder.build(ModelSource, ...)
* [MNG-7180] - Make --color option behave more like BSD/GNU grep's \
--color option
* [MNG-7181] - Make --version support -q
* [MNG-7185] - Describe explicit and recommended version for \
VersionRange.createFromVersionSpec()
* [MNG-7190] - Load mavenrc from /usr/local/etc also in Bourne shell script
** Task
* [MNG-6598] - Maven 3.6.0 and Surefire problem
* [MNG-6884] - Cleanup POM File after version upgrade
* [MNG-7172] - Remove expansion of Jansi native libraries
* [MNG-7184] - document .mavenrc/maven_pre.bat|cmd scripts and
MAVEN_SKIP_RC environment variable
3.8.1
This release with CVE fixes is a result based on the findings and feedback of \
Jonathan Leitschuh
and Olaf Flebbe.
One of the changes that might impact your builds is the way custom \
repositories defined in
dependency POMs will be handled.
By default external insecure repositories will now be blocked (localhost over \
HTTP will still
work).
Configuration can be adjusted via the conf/settings.xml.
Release Notes - Maven - Version 3.8.1
** Bug
* [MNG-7128] - improve error message when blocked repository defined in \
build POM
** New Feature
* [MNG-7116] - Add support for mirror selector on external:http:*
* [MNG-7117] - Add support for blocking mirrors
* [MNG-7118] - Block external HTTP repositories by default
** Dependency upgrade
* [MNG-7119] - Upgrade Maven Wagon to 3.4.3
* [MNG-7123] - Upgrade Maven Resolver to 1.6.2
Files: