Uses deprecated maven components

[Bananeweizen]

Use Maven 3.9.2. Run mvn help:help -Dmaven.plugin.validation=VERBOSE on any project using the spotbugs-maven-plugin to see these warnings:

[WARNING]  * com.github.spotbugs:spotbugs-maven-plugin:4.7.3.4
...
[WARNING]   Plugin issue(s):
[WARNING]    * Plugin depends on plexus-container-default, which is EOL

For reference, please check the last item of https://maven.apache.org/docs/3.9.2/release-notes.html#notable-new-features

[hazendaz]

Thanks! I plan to look at this as soon as possible. If you or anyone reading this knows how to fix the issue, would love to get a PR :)

[basil]

Suggest the following patch:

diff --git a/pom.xml b/pom.xml
index b1d326b..4931f85 100644
--- a/pom.xml
+++ b/pom.xml
@@ -363,12 +363,6 @@
       <groupId>org.apache.maven.reporting</groupId>
       <artifactId>maven-reporting-impl</artifactId>
       <version>${mavenReportingVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>org.codehaus.plexus</groupId>
-          <artifactId>plexus-container-default</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
 
     <dependency>
@@ -443,6 +437,10 @@
           <groupId>commons-logging</groupId>
           <artifactId>commons-logging</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.plexus</groupId>
+          <artifactId>plexus-container-default</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -494,6 +492,12 @@
       <groupId>org.apache.maven.doxia</groupId>
       <artifactId>doxia-integration-tools</artifactId>
       <version>${doxiaSiteToolsVersion}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.codehaus.plexus</groupId>
+          <artifactId>plexus-container-default</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <!-- Commons -->
@@ -551,27 +555,10 @@
     </dependency>
 
     <!-- plexus -->
-    <dependency>
-      <groupId>org.codehaus.plexus</groupId>
-      <artifactId>plexus-container-default</artifactId>
-      <version>${plexusContainerVersion}</version>
-      <exclusions>
-          <exclusion>
-              <groupId>com.google.collections</groupId>
-              <artifactId>google-collections</artifactId>
-          </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-resources</artifactId>
       <version>${plexusResourcesVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>org.codehaus.plexus</groupId>
-          <artifactId>plexus-container-default</artifactId>
-        </exclusion>
-      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.codehaus.plexus</groupId>
-- 
2.34.1

[acearth]

Same warning message got , hope you can solve it ASAP

[hazendaz]

its more complicated than expected. maven also has this same problem on many of their own plugins still. Its a warning for now and nothing to be overtly concerned on yet. It will only matter when maven 4.0 lands which I sort of doubt is this year. The warnings themselves will go away by default with maven 3.9.3 (at least current plan) so that users are not being hit with warnings they cannot do anything about. I think for the most part all the various plugins getting these issues already got notified.

If anyone wants to try to tackle this and raise PR great! If not, it may be a while as I don't have the time right now as I'm also restoring long dead plugins that are still in use to work with maven 4 as well as other project work and this isn't that critical.

[hazendaz]

@basil If you think that works, please raise a PR to confirm. I doubt that will resolve the issue though given physical code actually has to change and that seems to be trying to rig it if the code doesn't matter. There is deprecated code in this from maven standpoint that actually has to change. You may get slightly newer items in use possibly that way but still...needs coding.

[basil]

I tested the suggested patch, and I know that it works. Sorry, but I am not interested in submitting a pull request.

[hazendaz]

@basil Suggested fix only allowed same library to be used. I've entirely removed it. I had nothing direct on it and after reviewing maven internals, it appears to all have come from the logging api and the logging api doesn't appear to use it at all and parts of doxia that do appear to inject to get a logger during tests. All integration tests without it seem to have no issues. I've also built an additional github actions to run maven 4. I have not merged this up yet but will be shortly and will close after done.

My other reference to deprecated items that need replaced while accurate, are from a separate problem. I've further cleaned up exclusions and fixed a number of CVEs since spotbugs has yet to release for some time. As long as all my builds go ok, I will be also shortly releasing this as it is for now. For the most part if doxia really needs the portion of code, version 4 would not and its possible more of this needs in a provided based scope but did so much here I think its worth getting out and see how this goes.

[hazendaz]

resolved, closing.