2

I am new to Maven, and struggling to find out how does maven decide what version of a plugin (e.g. maven-compiler) to use when no version is defined in pom.xml.

Using latest maven version 3.8.1. Created a hello-world java program and ran mvn compile. And it downloads following versions: maven-resources-plugin:2.6:resources (default-resources) maven-compiler-plugin:3.1:compile (default-compile)

maven-compiler-plugin:3.1 was released in April 2013. Latest is 3.8.1. Why is maven not using the latest version when I have not given anything specific in pom ?

Same with maven-resources-plugin:2.6. This version was released in August 2012. Latest version is 3.2.0.

I know I can define the latest versions of these plugins in pom. But why default maven is using such old versions ? Am I missing any configuration ?

Donald
  • 83
  • 7

1 Answers1

1

You are missing the configuration meaning that you have to define the appropriate plugins via pluginManagement(all plugins with their versions).

If the defaults would be changed there would we a lot of project which would fail.

I can strongly recommend to define the versions given here https://maven.apache.org/plugins/

Usually the definition of plugin versions is a task for a corporate parent to have a single location define all the plugins and default configurations.

khmarbaise
  • 92,914
  • 28
  • 189
  • 235
  • Thanks, I did refer that plugins page and want to use the latest versions. Will put them in application pom. What did you mean by corporate parent ? I believe the plugins would need to be defined in each application parent pom.xml. – Donald May 05 '21 at 16:21
  • 1
    @Donald Often companies have their own parent POM that serves a parent for all their Maven projects. – J Fabian Meier May 05 '21 at 16:25
  • @Fabian Thanks, I was not aware of this. How should I set it up ? Any links or best practices around this ? I plan to use Nexus repository within our org for all maven projects. – Donald May 05 '21 at 16:27
  • A corporate pom is simply a separate maven project which contains only a pom.xml which defines all that... you release a single version of it and use it all your projects...I'm doing that on my own for a long time https://github.com/khmarbaise/smpp – khmarbaise May 05 '21 at 16:37
  • @khmarbaise thanks, this was helpful. Where is such a corporate pom file stored ? It must at a place where projects can refer it. In case of github, every project usually has its own repository (within an organization), should the corporate pom exist in a separate repo of its own ? – Donald May 05 '21 at 18:10
  • You should have a repository manager inside your company where you store such things also other corporate artifacts which are not open source and consume inside the company...and yes the corporate pom should have a separate git repo because you need to be able to make a full release process of it...including CI etc. – khmarbaise May 06 '21 at 06:13
  • the problem with maven plugins is that, unlike for dependencies, you cannot specify version wildcard for them, so there's no way to tell maven "always use the latest plugin version" AFAIK. Therefore, after specifying plugin's version in pom.xml you are forced to manually check if a new version was released before each release build or you are risking exposing yourself to whatever issues your locked version has... This is both security and management nightmare... – morgwai Dec 18 '21 at 18:13
  • 1
    A wildcard would potentially cause issues and prevents reproducibility. You should define a parent pom which contains a set of versions (pluginManagement). And you can create reports (https://www.mojohaus.org/versions-maven-plugin/display-plugin-updates-mojo.html) which should be checked on a regular base (using ci solutions for examples).. – khmarbaise Dec 18 '21 at 18:28