build(deps): update target-maven.version [security] #4468

renovate-bot · 2025-01-23T23:09:13Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.apache.maven:maven-core (source)	`3.0` -> `3.8.1`
org.apache.maven:maven-plugin-api (source)	`3.0` -> `3.9.11`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Release Notes

apache/maven (org.apache.maven:maven-plugin-api)

`v3.9.11`: 3.9.11

🚀 New features and improvements

Augment version range resolution used repositories (#2574) @cstamas

🐛 Bug Fixes

Deduplicate filtered dependency graph (#2489) @alzimmermsft
Move ensure in boundaries of project lock (#2470) @cstamas

👻 Maintenance

[MNGSITE-393] - remove references to Maven 2 (#2438) @elharo
Update CONTRIBUTING after GitHub issues enabled (#2449) @slawekjaranowski
Enable Github Issues (3.9.x) (#2414) @Bukama
[MNG-8763] - Remove name from site bannerLeft (#2419) @slawekjaranowski

🔧 Build

Pin GitHub action versions by hash (#10898) @slawekjaranowski
Build the project by JDK 21 as default (#10896) @slawekjaranowski
Use Maven 3.9.10 for build on GitHub (#2452) @slawekjaranowski

📦 Dependency updates

Bump resolverVersion from 1.9.23 to 1.9.24 (#2540) @dependabot[bot]
Bump xmlunitVersion from 2.10.2 to 2.10.3 (#2500) @dependabot[bot]
Bump org.apache.maven:maven-parent from 44 to 45 (#2491) @dependabot[bot]
Bump org.codehaus.mojo:build-helper-maven-plugin from 3.6.0 to 3.6.1 (#2432) @dependabot[bot]

`v3.9.10`: 3.9.10

Release Notes - Maven - Version 3.9.10

Bug

[MNG-8096] - Inconsistent dependency resolution behaviour for concurrent multi-module build can cause failures
[MNG-8169] - MINGW support requires --add-opens java.base/java.lang=ALL-UNNAMED
[MNG-8170] - Maven 3.9.8 contains weird native library for Jansi on Windows/arm64
[MNG-8211] - Maven should fail builds that use CI Friendly versions but have no values set
[MNG-8248] - WARNING: A restricted method in java.lang.System has been called
[MNG-8256] - ProjectDependencyGraph bug: in case of filtering, non-direct module links are lost
[MNG-8315] - Failure of mvn.cmd if a .mvn directory is located at drive root
[MNG-8396] - Maven takes forever to resume
[MNG-8711] - "Duplicate artifact" in LifecycleDependencyResolver

Improvement

[MNG-8370] - Introduce maven.repo.local.head
[MNG-8399] - JDK 24+ issues warning about usage of sun.misc.Unsafe
[MNG-8707] - Add methods to remove compile and test source roots
[MNG-8712] - improve dependency version explanation: it's a requirement, not always effective version
[MNG-8717] - Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding
[MNG-8722] - Use a single standalone version of asm
[MNG-8731] - Use https for xsi:schemaLocation in generated descriptors
[MNG-8734] - Simplify scripting like "get project version" cases

Task

[MNG-8728] - Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use Java 24 on CI

Dependency upgrade

[MNG-8289] - Update Plexus annotations to 2.2.0
[MNG-8443] - Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre
[MNG-8531] - Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0
[MNG-8532] - Bump commons-io:commons-io from 2.16.1 to 2.18.0
[MNG-8534] - Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1
[MNG-8635] - Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3
[MNG-8636] - Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre
[MNG-8640] - Bump org.apache.maven:maven-parent from 43 to 44
[MNG-8661] - Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre
[MNG-8701] - Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
[MNG-8702] - Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0
[MNG-8703] - Bump commons-io:commons-io from 2.18.0 to 2.19.0
[MNG-8704] - Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre
[MNG-8705] - Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0
[MNG-8706] - Bump commons-cli:commons-cli from 1.8.0 to 1.9.0
[MNG-8715] - Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2
[MNG-8716] - Bump resolver to 1.9.23
[MNG-8745] - Bump xmlunitVersion from 2.10.0 to 2.10.2

What's Changed

[MNG-8211] Fail the build if CI Friendly revision used without value by @cstamhttps://github.com/apache/maven/pull/1656l/1656
Add missing since by @cstamhttps://github.com/apache/maven/pull/1682l/1682
[MNG-8256] FilteredProjectDependencyGraph fix for non-transitive case by @cstamhttps://github.com/apache/maven/pull/1724l/1724
[MNG-8315] Failure of mvn.cmd if a .mvn folder is located at drive root by @fmarhttps://github.com/apache/maven/pull/1806l/1806
[MNG-8289] Update Plexus Annotations to 2.2.0 by @dependabhttps://github.com/apache/maven/pull/1666l/1666
[MNG-8370] Add maven.repo.local.head by @slawekjaranowshttps://github.com/apache/maven/pull/1915l/1915
[MNG-8443] Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre by @dependabhttps://github.com/apache/maven/pull/1991l/1991
[MNG-8531] Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0 by @dependabhttps://github.com/apache/maven/pull/2013l/2013
[MNG-8532] Bump commons-io:commons-io from 2.16.1 to 2.18.0 by @dependabhttps://github.com/apache/maven/pull/1926l/1926
[MNG-8534] Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1 by @dependabhttps://github.com/apache/maven/pull/1699l/1699
Add PR Automation action by @slawekjaranowshttps://github.com/apache/maven/pull/2113l/2113
Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 by @dependabhttps://github.com/apache/maven/pull/2167l/2167
Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabhttps://github.com/apache/maven/pull/2168l/2168
[MNG-8640] Bump org.apache.maven:maven-parent from 43 to 44 by @dependabhttps://github.com/apache/maven/pull/2163l/2163
Use Maven 3.9.9 for build maven-3.9.x branch by @slawekjaranowshttps://github.com/apache/maven/pull/2177l/2177
[MNG-8248] Add enable-native-access to startup scripts by @slawekjaranowshttps://github.com/apache/maven/pull/2171l/2171
[MNG-8661] Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre by @dependabhttps://github.com/apache/maven/pull/2185l/2185
Use dedicated local repo for ITs on Jenkins by @slawekjaranowshttps://github.com/apache/maven/pull/2255l/2255
[MNG-8701] Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28 by @dependabhttps://github.com/apache/maven/pull/2240l/2240
[MNG-8702] Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0 by @dependabhttps://github.com/apache/maven/pull/2241l/2241
[MNG-8703] Bump commons-io:commons-io from 2.18.0 to 2.19.0 by @dependabhttps://github.com/apache/maven/pull/2258l/2258
[MNG-8704] Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre by @dependabhttps://github.com/apache/maven/pull/2264l/2264
[MNG-8705] Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0 by @dependabhttps://github.com/apache/maven/pull/2270l/2270
[MNG-8706] Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 by @dependabhttps://github.com/apache/maven/pull/1665l/1665
[MNG-8715] Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2 by @dependabhttps://github.com/apache/maven/pull/2280l/2280
[MNG-8707] Add methods to remove compile and test source roots by @gnodhttps://github.com/apache/maven/pull/2275l/2275
[MNG-8712] dependency version is a requirement, not effective by @hboutehttps://github.com/apache/maven/pull/2279l/2279
[MNG-8717] Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding by @slawekjaranowshttps://github.com/apache/maven/pull/2295l/2295
[MNG-8169] Add opens java.base/java.lang=ALL-UNNAMED for MinGW by @slawekjaranowshttps://github.com/apache/maven/pull/2296l/2296
[MNG-8722] Use a single standalone version of asm by @slawekjaranowshttps://github.com/apache/maven/pull/2297l/2297
[MNG-8716] Bump resolver to 1.9.23 by @slawekjaranowshttps://github.com/apache/maven/pull/2282l/2282
[MNG-8731] Use https for xsi:schemaLocation in generated descriptors by @slawekjaranowshttps://github.com/apache/maven/pull/2343l/2343
[MNG-8711] Fix concurrent cache access by @slawekjaranowshttps://github.com/apache/maven/pull/2345l/2345
Update README.md by @slawekjaranowshttps://github.com/apache/maven/pull/2353l/2353
[MNG-8728] Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 by @cstamhttps://github.com/apache/maven/pull/2359l/2359
[MNG-8728] Build ITs on JDK 21, 24 by @slawekjaranowshttps://github.com/apache/maven/pull/2360l/2360
[MNG-8734] Make Maven 3.9.10 ignore --raw-streams option by @cstamhttps://github.com/apache/maven/pull/2361l/2361
Bump xmlunitVersion from 2.10.0 to 2.10.1 by @dependabhttps://github.com/apache/maven/pull/2354l/2354
[MNG-8396] Backport: add cache layer to the filtered dep graph by @cstamhttps://github.com/apache/maven/pull/2393l/2393
[MNG-8745] Bump xmlunitVersion from 2.10.1 to 2.10.2 by @dependabhttps://github.com/apache/maven/pull/2389l/2389

New Contributors

@fmarot made their first contributihttps://github.com/apache/maven/pull/1806l/1806

Full Changelog: apache/maven@maven-3.9.9...maven-3.9.10

`v3.9.9`: 3.9.9

Release Notes - Maven - Version 3.9.9

Bug

[MNG-8159] - Fix search for topDirectory when using -f / --file for Maven 3.9.x
[MNG-8165] - Maven does not find extensions for -f when current dir is root
[MNG-8177] - Warning "'dependencyManagement.dependencies.dependency.systemPath' for com.sun:tools:jar refers to a non-existing file C:\Temp\jdk-11.0.23\..\lib\tools.jar"
[MNG-8178] - Profile activation based on OS properties is broken for "mvn site"
[MNG-8180] - Resolver will blindly assume it is deploying a plugin by presence of META-INF/maven/plugins.xml in JAR
[MNG-8182] - Missing or mismatching Trusted Checksum for some artifacts is not properly reported
[MNG-8188] - [REGRESSION] Property not resolved in profile pluginManagement

Task

[MNG-8206] - Remove Maven 2.1 (v 2.0) compatibility bits

Dependency upgrade

[MNG-8175] - Resolver 1.9.21
[MNG-8179] - Upgrade Parent to 43
[MNG-8193] - Resolver 1.9.22
[MNG-8198] - (build) Animal Sniffer 1.24
[MNG-8199] - Hamcrest 3.0

What's Changed

[MNG-8159] Fix search for topDirectory when using -f / --file by @gzmhttps://github.com/apache/maven/pull/1589l/1589
[MNG-7194] Test missing property evaluation by @pzygiehttps://github.com/apache/maven/pull/1570l/1570
[3.9.x] [MNG-8175] Update Resolver to 1.9.21 by @cstamhttps://github.com/apache/maven/pull/1598l/1598
[MNG-8178] Fall back to system properties for missing profile activation context properties by @kohlschuetthttps://github.com/apache/maven/pull/1603l/1603
[MNG-8179] Upgrade Parent to 43 by @slawekjaranowshttps://github.com/apache/maven/pull/1610l/1610
[MNG-8180] Fail install/deploy if rogue Maven Plugin metadata found by @cstamhttps://github.com/apache/maven/pull/1611l/1611
[3.9.x][MNG-8193] Update to Resolver 1.9.22 by @cstamhttps://github.com/apache/maven/pull/1627l/1627
[MNG-8199] Hamcrest 3.0 by @cstamhttps://github.com/apache/maven/pull/1631l/1631
[MNG-8182] Resolved errors were created based on collect exceptions by @cstamhttps://github.com/apache/maven/pull/1632l/1632
[MNG-8180] Handle NPE due non-existent tags by @cstamhttps://github.com/apache/maven/pull/1641l/1641
[MNG-8180] Back out from failing the build by @cstamhttps://github.com/apache/maven/pull/1642l/1642
[MNG-8206] Remove bad plugin.xml from maven-compat by @cstamhttps://github.com/apache/maven/pull/1646l/1646
[MNG-8177] Add contextual info for model warnings by @cstamhttps://github.com/apache/maven/pull/1633l/1633
[MNG-8188] Profile properties are not interpolated by @cstamhttps://github.com/apache/maven/pull/1634l/1634
[MNG-8165] Align mvn.sh script with mvn.cmd by @cstamhttps://github.com/apache/maven/pull/1647l/1647
[MNG-8165] Get rid of bashism creeped in by @cstamhttps://github.com/apache/maven/pull/1653l/1653

New Contributors

@gzm55 made their first contributihttps://github.com/apache/maven/pull/1589l/1589
@kohlschuetter made their first contributihttps://github.com/apache/maven/pull/1603l/1603

Full Changelog: apache/maven@maven-3.9.8...maven-3.9.9

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot requested a review from a team as a code owner January 23, 2025 23:09

product-auto-label bot added the size: xs Pull request size is extra small. label Jan 23, 2025

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

product-auto-label bot added the api: bigtable Issues related to the googleapis/java-bigtable-hbase API. label Jan 23, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 2a3836d to 8e330a0 Compare March 6, 2025 21:52

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 8e330a0 to 06002d9 Compare March 6, 2025 22:43

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 06002d9 to 86fa0a3 Compare April 1, 2025 12:27