Upgrade Maven API 3.8.7 -> 3.9.5

[Picnic-Bot]

This PR contains the following updates:

Package	Type	Update	Change
Maven API	compile	minor	3.8.7 -> 3.9.6

---

Release Notes

apache/maven (Maven API)

v3.9.6: 3.9.6

Release Notes - Maven - Version 3.9.6

Improvement

• [MNG-7939] - Allow to exclude plugins from validation

Dependency upgrade

• [MNG-7913] - Upgrade Sisu version to 0.9.0.M2
• [MNG-7934] - Upgrade Resolver version to 1.9.18
• [MNG-7942] - Upgrade to parent POM 41
• [MNG-7943] - Upgrade default plugin bindings

v3.9.5: 3.9.5

Release Notes - Maven - Version 3.9.5

Bug

• [MNG-7851] - Error message when modelVersion is 4.0 is confusing

Improvement

• [MNG-7875] - colorize transfer messages
• [MNG-7895] - Support ${project.basedir} in file profile activation

Task

• [MNG-7856] - Maven Resolver Provider classes ctor change
• [MNG-7870] - Undeprecate wrongly deprecated repository metadata
• [MNG-7872] - Deprecate org.apache.maven.repository.internal.MavenResolverModule
• [MNG-7874] - maven-resolver-provider: introduce NAME constants.

Dependency upgrade

• [MNG-7859] - Update to Resolver 1.9.16

v3.9.4: 3.9.4

Release Notes - Maven - Version 3.9.4

Bug

• [MNG-7846] - endless loop in DefaultExceptionHandler.getMessage()

Dependency upgrade

• [MNG-7828] - Bump guava from 31.1-jre to 32.0.1-jre
• [MNG-7847] - Upgrade to Resolver 1.9.14

Full Changelog: apache/maven@maven-3.9.3...maven-3.9.4

v3.9.3: 3.9.3

Release Notes - Maven - Version 3.9.3

Bug

• [MNG-7786] - Maven Plugin Validation message is misleading
• [MNG-7795] - IllegalArgumentException: 'other' has different root during plugin validation
• [MNG-7796] - Top directory cannot be computed
• [MNG-7799] - Plugin validation falsely reports there are issues (but shows none)
• [MNG-7811] - Plugins verification - reports are inconsistent
• [MNG-7818] - [REGRESSION] maven improperly excludes hamcrest-core from junit
• [MNG-7819] - Create IT that exercise file locking with snapshots

Improvement

• [MNG-7698] - Allow comments in .mvn/maven.config
• [MNG-7785] - Clean usage of SessionData
• [MNG-7787] - Introduce new options for plugin validation
• [MNG-7788] - Plugin Validation Report should be printed before build summary
• [MNG-7789] - Plugin Dependency Validations use wrong data set
• [MNG-7806] - Plugins verification - remove used in module(s) report
• [MNG-7823] - Make plugin validation level parsing more consistent

Task

• [MNG-5987] - Document the algorithm calculating the order of plugin executions inside a phase.
• [MNG-7743] - Make the build work on JDK 20
• [MNG-7790] - Update lifecycle plugins
• [MNG-7791] - Split validation issues into "user actionable" and "plugin dev actionable"
• [MNG-7797] - Return BRIEF mode, simply map it onto SUMMARY
• [MNG-7807] - Update Super POM plugins

Dependency upgrade

• [MNG-7800] - Upgrade to Maven Resolver 1.9.13
• [MNG-7816] - Bump maven parent from 39 to 40

v3.9.2: 3.9.2

Release Notes - Maven - Version 3.9.2

Bug

• [MNG-7750] - Interpolated properties in originalModel in an active profile.
• [MNG-7759] - java.lang.NullPointerException at org.apache.maven.repository.internal.DefaultModelCache.newInstance (DefaultModelCache.java:37)

Improvement

• [MNG-7712] - Core should issue a warning if plugin depends on maven-compat
• [MNG-7741] - Add more information when using -Dmaven.repo.local.recordReverseTree=true
• [MNG-7754] - Improvement and extension of plugin validation
• [MNG-7767] - Tone down plugin validation report
• [MNG-7778] - Maven should print suppressed exceptions when a mojo fails

Task

• [MNG-7749] - Upgrade animal-sniffer from 1.21 to 1.23
• [MNG-7774] - Maven config and command line interpolation

Dependency upgrade

• [MNG-7670] - Upgrade misc dependencies
• [MNG-7753] - Upgrade to Maven Resolver 1.9.8
• [MNG-7769] - Upgrade to Maven Resolver 1.9.10

v3.9.1: 3.9.1

Release Notes - Maven - Version 3.9.1

Overview About the Changes

Regression fixes from Maven 3.9.0. General performance and other fixes.

Potentially Breaking Core Changes (if migrating from 3.8.x)

• The Maven Resolver transport has changed from Wagon to “native HTTP”, see Resolver Transport guide.

• Maven 2.x was auto-injecting an ancient version of plexus-utils dependency into the plugin classpath, and Maven 3.x continued doing this to preserve backward compatibility. Starting with Maven 3.9, it does not happen anymore. This change may lead to plugin breakage. The fix for affected plugin maintainers is to explicitly declare a dependency on plexus-utils. The workaround for affected plugin users is to add this dependency to plugin dependencies until issue is fixed by the affected plugin maintainer. See MNG-6965.

• Mojos are prevented to boostrap new instance of RepositorySystem (for example by using deprecated ServiceLocator), they should reuse RepositorySystem instance provided by Maven instead. See MNG-7471.

• Each line in .mvn/maven.config is now interpreted as a single argument. That is, if the file contains multiple arguments, these must now be placed on separate lines, see MNG-7684.

Bug

• [MNG-7213] - StackOverflowError when version ranges are unsolvable and graph contains a cycle
• [MNG-7544] - MavenMetadataSource#retrieve(MetadataResolutionRequest) does not check for null when reading from project map
• [MNG-7676] - On Maven 3.9.0+ release, sha512 hashes have "null" classifier
• [MNG-7677] - Maven 3.9.0 is ~10% slower than 3.8.7 in large multi-module builds
• [MNG-7679] - [REGRESSION] Build fails when executing a single mojo without a POM
• [MNG-7685] - Unable to ignore certificate errors with v3.9.0
• [MNG-7693] - NPE in createModelCache, modelCacheFactory is null
• [MNG-7697] - Cannot parse POM that contains an emoji in a comment
• [MNG-7708] - Resolver in Maven 3.9+ no longer retries on a conection failure
• [MNG-7709] - plexus-utils upgrade changes the way configuration is parsed
• [MNG-7710] - Upgrade plexus-utils to 3.5.1
• [MNG-7716] - ConcurrencyDependencyGraph deadlock if no root can be selected
• [MNG-7717] - Maven warns wrongly about ${localRepository} expression
• [MNG-7720] - [REGRESSION] Build order is incorrect and does not respect Reactor Build Order
• [MNG-7721] - Maven 3.9 resolver ignores proxy configured via MAVEN_OPTS
• [MNG-7726] - Maven 3.9.0 resolves properties in file profile activation incorrectly
• [MNG-7731] - MNG-7520 incorrectly back ported to Maven 3.9.0

Improvement

• [MNG-5185] - Improve "missing dependency" error message when _maven.repositories/_remote.repositories contains other repository ids than requested
• [MNG-7686] - Speed up by replacing non-pattern #replaceAll() with #replace() or precompiled patterns
• [MNG-7706] - Deprecate ${localRepository} mojo parameter expression

Task

• [MNG-7197] - Simplify exit code handling in Windows command startup script
• [MNG-7583] - Allow concurrent access to the MavenPluginManager
• [MNG-7702] - Update to Maven Deploy Plugin 3.1.0
• [MNG-7713] - Drop option legacy-local-repository
• [MNG-7722] - Investigate GH Package Registry peculiarities

Dependency upgrade

• [MNG-7695] - Upgrade to resolver 1.9.5
• [MNG-7715] - Upgrade to Maven Resolver 1.9.6
• [MNG-7723] - Upgrade to Maven Resolver 1.9.7
• [MNG-7725] - Update surefire to 3.0.0 in default binding

v3.9.0: 3.9.0

Release Notes - Maven - Version 3.9.0

Sub-task

• [MNG-7019] - Notify also at start when profile is missing
• [MNG-7447] - Several Improvements by using Stream API

Bug

• [MNG-5222] - Maven 3 no longer logs warnings about deprecated plugin parameters.
• [MNG-6965] - Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
• [MNG-7055] - Using MINSTALL/DEPLOY 3.0.0-M1+ does not write plugin information into maven-metadata.xml
• [MNG-7106] - VersionRange.toString() produces a string that cannot be parsed with VersionRange.createFromVersionSpec() for same lower and upper bounds
• [MNG-7131] - maven.config doesn't handle arguments with spaces in them
• [MNG-7160] - Extension And Classloaders: difference of result given extension types
• [MNG-7316] - REGRESSION: MavenProject.getAttachedArtifacts() is read-only
• [MNG-7352] - org.apache.maven.toolchain.java.JavaToolchainImpl should be public
• [MNG-7413] - Fix POM model documentation confusion on report plugins, distribution repository and profile build
• [MNG-7425] - Maven artifact downloads sometimes result in empty zip files in local repository
• [MNG-7432] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader
• [MNG-7433] - [REGRESSION] Multiple maven instances working on same source tree can lock each other
• [MNG-7441] - Update Version of (optional) Logback to Address CVE-2021-42550
• [MNG-7448] - Don't ignore bin/ otherwise bin/ in apache-maven module cannot be readded
• [MNG-7459] - Revert MNG-7347 (SessionScoped beans should be singletons for a given session)
• [MNG-7471] - Resolver 1.8.0 introduces binary breakage in plugin using Resolver
• [MNG-7487] - Fix deadlock during forked lifecycle executions
• [MNG-7493] - [REGRESSION] Resolving dependencies between submodules fails
• [MNG-7504] - Warning about unknown reportPlugins parameters for m-site-p are always generated
• [MNG-7511] - Ensure the degreeOfConcurrency is a positive number in MavenExecutionRequest
• [MNG-7515] - Cannot see a dependency tree for apache-maven module
• [MNG-7529] - Maven resolver makes bad repository choices when resolving version ranges
• [MNG-7545] - Multi building can create bad files for downloaded artifacts in local repository
• [MNG-7563] - REGRESSION: User properties now override model properties in dependencies
• [MNG-7564] - Potential NPE in MavenMetadataSource
• [MNG-7568] - [WARNING] The requested profile "ABCDEF" could not be activated because it does not exist.
• [MNG-7578] - Building Linux image on Windows impossible (patch incuded)
• [MNG-7600] - LocalRepositoryManager is created too early
• [MNG-7606] - Maven 3.9.0-SNAPSHOT cannot build Maven 4.0.0-SNAPSHOT
• [MNG-7621] - Parameter '-f' causes ignoring any 'maven.config' (only on Windows)
• [MNG-7624] - Plugins without non-mandatory goalPrefix are now logging incomplete info
• [MNG-7637] - Possible NPE in MavenProject#hashCode()
• [MNG-7644] - Fix version comparison where .X1 < -X2 for any string qualifier X
• [MNG-7648] - Generated model reader is not setting location information
• [MNG-7672] - Aggregate goals executed in a submodule forks the whole reactor

New Feature

• [MNG-3655] - Allow multiple local repositories
• [MNG-6270] - Store snapshots in a separate local repository
• [MNG-7193] - Introduce MAVEN_ARGS environment variable
• [MNG-7353] - Add support for "mvn pluginPrefix:version:goal"
• [MNG-7391] - Add MojoExecution strategy and runner required by Maven Build Cache Extension
• [MNG-7454] - Include resolver-transport-http in Maven
• [MNG-7457] - Warn about deprecated plugin Mojo
• [MNG-7464] - Warn about using read-only parameters for Mojo in configuration
• [MNG-7468] - Unsupported plugins parameters in configuration should be verified
• [MNG-7486] - Create a multiline message helper for boxed log messages
• [MNG-7612] - Chained Local Repository

Improvement

• [MNG-6609] - Profile activation by packaging
• [MNG-6826] - Remove condition check for JDK8+ in FileSizeFormatTest
• [MNG-6972] - Allow access to org.apache.maven.graph
• [MNG-7068] - Active dependency management for Google Guice/Guava
• [MNG-7350] - Introduce a factory for ModelCache
• [MNG-7401] - Make MavenSession#getCurrentProject() using a thread local
• [MNG-7438] - add execution id to "Configuring mojo xxx with basic configurator" debug message
• [MNG-7445] - to refactor some useless code
• [MNG-7463] - Improve documentation about deprecation in Mojo
• [MNG-7474] - SessionScoped beans should be singletons for a given session
• [MNG-7476] - Display a warning when an aggregator mojo is locking other mojo executions
• [MNG-7478] - Improve transport selection for resolver
• [MNG-7501] - display relative path to pom.xml
• [MNG-7520] - Simplify integration of Redisson and Hazelcast for Maven Resolver
• [MNG-7547] - Simplify G level metadata handling
• [MNG-7561] - DefaultVersionRangeResolver should not try to resolve versions with same upper and lower bound
• [MNG-7590] - Allow configure resolver by properties in settings.xml
• [MNG-7608] - Make Resolver native transport the default in Maven
• [MNG-7614] - Maven should translate transport configuration fully to resolver transports.
• [MNG-7619] - Maven should explain why an artifact is present in local repository
• [MNG-7645] - Implement some #toString() methods
• [MNG-7651] - Simplify and document merge of maven.config file and CLI args
• [MNG-7658] - CI-friendly versions should only come from/rely on user properties
• [MNG-7666] - Update default binding and lifecycle plugin versions

Task

• [MNG-6399] - Lift JDK minimum to JDK 8
• [MNG-7452] - Remove JDK7 run on Maven 3.9.X Branch
• [MNG-7466] - Align Assembly Descriptor NS versions
• [MNG-7513] - Address commons-io_commons-io vulnerability found in maven latest version
• [MNG-7523] - Back port MAVEN_ARGS to Apache Maven 3.9.0
• [MNG-7556] - Clean up notion between user properties and system properties
• [MNG-7618] - Use goalPrefix instead of artifactId to display mojos being executed
• [MNG-7634] - Revert MNG-5982 and MNG-7417
• [MNG-7636] - Partially revert MNG-5868 to restore backward compatibility (see MNG-7316)

Dependency upgrade

• [MNG-6878] - Upgrade Guice to 4.2.3
• [MNG-7247] - Upgrade Maven Resolver to 1.7.2
• [MNG-7453] - Upgrade Maven Resolver to 1.8.0
• [MNG-7488] - Upgrade SLF4J to 1.7.36
• [MNG-7489] - Upgrade JUnit to 4.13.2
• [MNG-7491] - Update parent POM to 36
• [MNG-7499] - Upgrade Maven Resolver to 1.8.1
• [MNG-7502] - Upgrade Guice to 5.1.0
• [MNG-7506] - Upgrade Maven Wagon to 3.5.2
• [MNG-7522] - Upgrade Maven Resolver to 1.8.2
• [MNG-7530] - Upgrade Apache Maven parent POM to version 37
• [MNG-7586] - Update Maven Resolver to 1.9.2
• [MNG-7613] - Upgrade Apache Maven parent POM to version 38
• [MNG-7641] - Upgrade Maven Wagon to 3.5.3
• [MNG-7668] - Update Maven Resolver to 1.9.4
• [MNG-7675] - Update Maven Parent to 39

---

• If you want to rebase/retry this PR, check this box

[Stephan202]

The build will fail until GHA uses Maven 3.8.7. There's also the convenience of OSS contributors to consider, so I guess we should not be in a hurry to merge this PR.

Suggested commit message:

Upgrade Maven API 3.8.6 -> 3.8.7 (#434)

See:
- https://maven.apache.org/docs/3.8.7/release-notes.html
- https://github.com/apache/maven/releases/tag/maven-3.8.7
- https://github.com/apache/maven/compare/maven-3.8.6...maven-3.8.7

[rickie]

so I guess we should not be in a hurry to merge this PR.

WDYT of adding pause renovate label for a while?

[Stephan202]

WDYT of adding pause renovate label for a while?

Makes sense if the Maven version is hardcoded in setup-java or one of the other actions (not clear to me). OTOH, if the version is dynamically determined/upgraded, then a ~daily rebuild is not a bad idea.

[Picnic-Bot]

Suggested commit message:

Upgrade Maven API 3.8.7 -> 3.9.5 (#434)

See:
- https://maven.apache.org/release-notes-all.html
- https://github.com/apache/maven/releases/tag/maven-3.9.0
- https://github.com/apache/maven/releases/tag/maven-3.9.1
- https://github.com/apache/maven/releases/tag/maven-3.9.2
- https://github.com/apache/maven/releases/tag/maven-3.9.3
- https://github.com/apache/maven/releases/tag/maven-3.9.4
- https://github.com/apache/maven/releases/tag/maven-3.9.5
- https://github.com/apache/maven/compare/maven-3.8.7...maven-3.9.5

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[rickie]

It's 🟢 but maybe we should still wait for a little longer. WDYT?

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[rickie]

Need to leave now, will take a look tomorrow. Need to check out GHA :).

[Stephan202]

The issue is that GitHub actions is still on Apache Maven 3.8.8.

[rickie]

Yeah I was going to check if there were any changes there 😬, but that's probably not the case then.

[Stephan202]

This PR will get unlocked by #964, though likely we'll want to target Maven 3.9.5, for compatibility with mvnd.

Additionally, we should update the reproducible build spec to build releases with a more recent version of Maven.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[Stephan202]

K, I rebased the branch and downgraded to Maven 3.9.5. The release notes also reflect this, so assuming the build passes, I think this one is good to go, @rickie.

[Stephan202]

Additionally, we should update the reproducible build spec to build releases with a more recent version of Maven.

I filed jvm-repo-rebuild/reproducible-central#136.

[rickie]

I filed jvm-repo-rebuild/reproducible-central#136.

There we set the version to 3.9.6 though 🤔.

[rickie]

Rebased and resolved conflict!

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[sonarcloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[Stephan202]

I filed jvm-repo-rebuild/reproducible-central#136.

There we set the version to 3.9.6 though 🤔.

Yep, because there we don't need mvnd compatibility.