[英]Maven installing multiple versions of the same dependency
Maven plugins (maven-compiler-plugin:3.8.1 and maven-surefire-plugin:3.0.0-M3) seem to be downloading multiple versions of the same dependency (plexus-utils) when running mvn clean package, even if I specify the latest version of plexus-utils in the dependencies. Maven 插件(maven-compiler-plugin:3.8.1 和 maven-surefire-plugin:3.0.0-M3)在运行 mvn clean package 时似乎正在下载相同依赖项(plexus-utils)的多个版本,即使我指定依赖项中的 plexus-utils 的最新版本。 This doesn't cause any errors, but any version of plexus-utils prior to 3.0.16 is vulnerable to command injection.
这不会导致任何错误,但 3.0.16 之前的任何版本的 plexus-utils 都容易受到命令注入的影响。 Is there a way that I can stop this from happening?
有什么办法可以阻止这种情况发生吗?
EDIT: As per the suggestion below I tried including an exclusion, but I think this is only supported for dependencies and not plugins.编辑:根据下面的建议,我尝试包含排除项,但我认为这仅支持依赖项而不支持插件。
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<exclusions>
<exclusion>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
</exclusion>
</exclusions>
</plugin>
While you cannot exclude dependencies for plugins (as you can with other dependencies), you can specify the exact version that will be used for a particular plugin.虽然您不能排除插件的依赖项(就像其他依赖项一样),但您可以指定将用于特定插件的确切版本。
If you have a parent POM, or any other linked POMs, you may need to add this to each plugin or dependency where this is used:如果您有父 POM 或任何其他链接的 POM,您可能需要将其添加到每个使用它的插件或依赖项中:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<dependencies>
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.0.16</version>
</dependency>
</dependencies>
</plugin>
For me i have just specified below maven build plugin,对我来说,我刚刚在 maven 构建插件下面指定了,
spring-boot-maven-plugin
and i forced my version我强迫我的版本
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<includeSystemScope>true</includeSystemScope>
</configuration>
<dependencies>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.14</version>
</dependency>
</dependencies>
</plugin>
But still it was showing the older library version for "plexus-utils" and "commons-codec".但它仍然显示“plexus-utils”和“commons-codec”的旧库版本。
Then looking at jenkins logs, it was actually running other plugin like然后查看 jenkins 日志,它实际上正在运行其他插件,例如
maven-surefire-plugin maven-surefire-plugin
maven-install-plugin Maven 安装插件
maven-compiler-plugin Maven 编译器插件
So i need to add these plugin and forced my dependency in each.所以我需要添加这些插件并在每个插件中强制我的依赖。
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<dependencies>
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.3.0</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.14</version>
</dependency>
</dependencies>
</plugin>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.