--- - branch: pkgsrc-2021Q3 date: Sat Oct 16 20:29:42 UTC 2021 files: - new: 1.17.10.1 old: '1.17' path: pkgsrc/devel/apache-maven/Makefile pathrev: pkgsrc/devel/apache-maven/Makefile@1.17.10.1 type: modified - new: 1.11.10.1 old: '1.11' path: pkgsrc/devel/apache-maven/PLIST pathrev: pkgsrc/devel/apache-maven/PLIST@1.11.10.1 type: modified - new: 1.18.10.1 old: '1.18' path: pkgsrc/devel/apache-maven/distinfo pathrev: pkgsrc/devel/apache-maven/distinfo@1.18.10.1 type: modified - new: 1.8.12.1 old: '1.8' path: pkgsrc/devel/apache-maven/patches/patch-bin_mvn pathrev: pkgsrc/devel/apache-maven/patches/patch-bin_mvn@1.8.12.1 type: modified id: 20211016T202942Z.e32313baf29476af193edcfa549cb4332109a0b5 log: "Pullup ticket #6518 - requested by wiz\ndevel/apache-maven: security fix\n\nRevisions pulled up:\n- devel/apache-maven/Makefile 1.18\n- devel/apache-maven/PLIST 1.12\n- devel/apache-maven/distinfo \ 1.20\n- devel/apache-maven/patches/patch-bin_mvn \ 1.9\n\n---\n Module Name:\tpkgsrc\n Committed By:\twiz\n \ Date:\t\tFri Oct 8 15:08:21 UTC 2021\n\n Modified Files:\n \tpkgsrc/devel/apache-maven: Makefile PLIST distinfo\n \tpkgsrc/devel/apache-maven/patches: patch-bin_mvn\n\n \ Log Message:\n apache-maven: update to 3.8.3.\n\n 3.8.3\n\n ** Bug\n \ * [MNG-7045] - Drop CDI API from Maven\n * [MNG-7214] - Bad transitive dependency parent from CDI API\n * [MNG-7215] - [Regression] Maven Site Plugin cannot resolve parent site descriptor without locale\n * [MNG-7216] - Revert MNG-7170\n * [MNG-7218] - [Regression] o.a.m.model.Build.getSourceDirectory() incorrectly returns absolute dir on 3.8.2\n * [MNG-7219] - [Regression] plexus-cipher missing from transitive dependencies\n * [MNG-7220] - [REGRESSION] test-classpath incorrectly resolved\n * [MNG-7251] - Fix threadLocalArtifactsHolder leaking into cloned project\n * [MNG-7253] - Relocation message is never shown\n\n ** New Feature\n * [MNG-7164] - Add constructor MojoExecutionException(Throwable)\n\n \ ** Improvement\n * [MNG-7235] - Speed improvements when calculating the sorted project graph\n * [MNG-7236] - The DefaultPluginVersionResolver should cache results for the session\n\n ** Task\n * [MNG-7252] - Fix warnings issued by dependency:analyze\n * [MNG-7254] - Expand Windows native libraries for Jansi due to JDK-8195129 (workaround)\n\n 3.8.2\n\n ** Sub-task\n \ * [MNG-6281] - ArrayIndexOutOfBoundsException caused by pom.xml with invalid/duplicate XML\n\n ** Bug\n * [MNG-4706] - Multithreaded building can create bad files for downloaded artifacts in local repository\n * [MNG-5307] - NPE during resolution of dependencies - parallel mode\n * [MNG-5315] - Artifact resolution sporadically fails in parallel builds\n * [MNG-5838] - Maven on No-File-Lock Systems\n * [MNG-5868] - Adding serval times the same artifact via MavenProjectHelper (attachArtifact) keep adding to the List duplicate artifacts\n \ * [MNG-6071] - GetResource ('/) returns 'null' if build is started with -f\n * [MNG-6216] - ArrayIndexOutOfBoundsException when parsing POM\n * [MNG-6239] - Jansi messes up System.err and System.out\n * [MNG-6380] - Option -Dstyle.color=always doesn't force color output\n * [MNG-6604] - Intermittent failures while downloading GAVs from Nexus\n * [MNG-6648] - 'mavenrc_pre' script does not receive arguments like mavenrc in Bourne shell does\n * [MNG-6719] - mvn color output escape keys w/ \"| tee xxx.log\" on Win with git/bash\n * [MNG-6737] - StackOverflowError when version ranges are unsolvable and graph contains a cycle\n * [MNG-6767] - Plugin with ${project.groupId} resolved improperly\n * [MNG-6819] - NullPointerException for DefaultArtifactDescriptorReader.loadPom\n * [MNG-6828] - DependencyResolutionException breaks serialization\n * [MNG-6842] - ProjectBuilderTest uses Guava, but Guava is not defined in dependencies\n * [MNG-6843] - Parallel build fails due to missing JAR artifacts in compilePath\n * [MNG-6850] - Prevent printing the EXEC_DIR when it's just a disk letter\n * [MNG-6921] - Maven compile with properties ${artifactId} and ${project.build.finalName} occurs java.lang.NullPointerException\n \ * [MNG-6937] - StringSearchModelInterpolatorTest fails on symlinked paths\n \ * [MNG-6964] - Maven version sorting is internally inconsistent\n * [MNG-6983] - Plugin key can get out of sync with artifactId and groupId\n * [MNG-7000] - metadata.mdo contains invalid link to schema\n * [MNG-7032] - Option -B still showing formatting when used with --version\n * [MNG-7034] - StackOverflowError thrown if a cycle exists in BOM imports\n * [MNG-7090] - mvnDebug does not work on Java 11+\n * [MNG-7127] - NullPointerException in MavenCliTest.testStyleColors in JDK 16\n * [MNG-7155] - make sources jar reproducible (upgrade maven-source-plugin to 3.2.1)\n * [MNG-7161] - Error thrown during uninstalling of JAnsi\n\n ** New Feature\n * [MNG-7149] - Introduce MAVEN_DEBUG_ADDRESS in mvnDebug scripts\n\n ** Improvement\n * [MNG-2802] - Concurrent-safe access to local Maven repository\n * [MNG-6471] - Parallel builder should use the module name as thread name\n * [MNG-6754] - Set the same timestamp in multi module builds\n * [MNG-6810] - Remove profiles in maven-model\n * [MNG-6811] - Remove unnecessary filtering configuration\n \ * [MNG-6816] - Prefer System.lineSeparator() over system properties\n \ * [MNG-6827] - Replace deprecated StringUtils#defaultString() from Plexus Utils\n * [MNG-6837] - Simplify detection of the MAVEN_HOME and make it fully qualified on Windows\n * [MNG-6844] - Use StandardCharsets and remove outdated @SuppressWarnings\n * [MNG-6853] - Don't box primitives where it's not needed\n * [MNG-6859] - Build not easily reproducible when built from source release archive\n * [MNG-6873] - Inconsistent library versions notice\n * [MNG-6967] - Improve the command line output from maven-artifact\n \ * [MNG-6987] - Reorder groupId before artifactId when writing an exclusion using maven-model\n * [MNG-7010] - Omit \"NB: JAVA_HOME should point to a JDK not a JRE\" except when that is the problem\n * [MNG-7064] - Use HTTPS for schema location in global settings.xml\n * [MNG-7080] - Add a --color option\n * [MNG-7170] - Allow to associate pomFile/${basedir} with DefaultProjectBuilder.build(ModelSource, ...)\n * [MNG-7180] - Make --color option behave more like BSD/GNU grep's --color option\n * [MNG-7181] - Make --version support -q\n * [MNG-7185] - Describe explicit and recommended version for VersionRange.createFromVersionSpec()\n * [MNG-7190] - Load mavenrc from /usr/local/etc also in Bourne shell script\n\n ** Task\n * [MNG-6598] - Maven 3.6.0 and Surefire problem\n * [MNG-6884] - Cleanup POM File after version upgrade\n * [MNG-7172] - Remove expansion of Jansi native libraries\n * [MNG-7184] - document .mavenrc/maven_pre.bat|cmd scripts and\n MAVEN_SKIP_RC environment variable\n\n 3.8.1\n\n This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh\n \ and Olaf Flebbe.\n\n One of the changes that might impact your builds is the way custom repositories defined in\n dependency POMs will be handled.\n \ By default external insecure repositories will now be blocked (localhost over HTTP will still\n work).\n Configuration can be adjusted via the conf/settings.xml.\n\n \ Release Notes - Maven - Version 3.8.1\n\n ** Bug\n\n * [MNG-7128] - improve error message when blocked repository defined in build POM\n\n ** New Feature\n\n * [MNG-7116] - Add support for mirror selector on external:http:*\n \ * [MNG-7117] - Add support for blocking mirrors\n * [MNG-7118] - Block external HTTP repositories by default\n\n ** Dependency upgrade\n * [MNG-7119] - Upgrade Maven Wagon to 3.4.3\n * [MNG-7123] - Upgrade Maven Resolver to 1.6.2\n" module: pkgsrc subject: 'CVS commit: [pkgsrc-2021Q3] pkgsrc/devel/apache-maven' unixtime: '1634416182' user: tm