How does Maven decide what version of a plugin to use, when you don't specify any?

Asked 27/10, 2015 at 15:3 Answered 11/3, 2017 at 0:35

maven maven-plugin maven-central maven-metadata

I recognized that Maven not always uses the latest version of a plugin.

For example org.codehaus.mojo:sonar-maven-plugin version 2.7 has beed released on 19th of October but on 23th of October, 2.6 was still used by Maven (mvn sonar:sonar).

I even remember some plugins, where the latest version was several minor releases above the version that Maven decided to use.

Is there any (central) index/list/database where Maven looks up what version to use? If yes, where can it be accessed manually?

Engedi answered 27/10, 2015 at 15:3 Comment(4)

Best is to pin all versions of used plugins in a company/corporate pom. – Obidiah 27/10, 2015 at 15:5

Yeah, that's correct, but we can't change this for all projects at once, so I want to track changes in Maven plugin's default versions. – Engedi 27/10, 2015 at 15:9

There is no plugin default version....? – Obidiah 27/10, 2015 at 17:19

Does this answer your question? How does Maven resolve plugin versions? – Carbonic 22/12, 2021 at 13:27

I know this is an ancient thread but in the interest of posterity and accuracy: all pom.xmls logically inherit from the super POM. You can always see what your "real" pom.xml looks like by typing:

mvn help:effective-pom

The resulting pom.xml that is printed is a combination of the super POM, your pom.xml, and of course any parent POMs in the mix as well.

The super POM is provided by the org.apache.maven.model.superpom.DefaultSuperPomProvider class (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/java/org/apache/maven/model/superpom/DefaultSuperPomProvider.java#L56-L85). The resource it loads is org/apache/maven/model/pom-4.0.0.xml (https://github.com/apache/maven/blob/bce33aa2662a51d18cb00347cf2fb174dc195fb1/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml#L23-L149).

Biannual answered 11/3, 2017 at 0:35 Comment(5)

That's pretty nice to know, but the super POM does not contain any of the (default lifecycle) plugins versions. – Engedi 11/3, 2017 at 9:2

At least as of Maven 2, it does: maven.apache.org/guides/introduction/…; scroll down past the first XML hairball to the second one. Your point about it being missing from the Maven 3 super POM is a good one, however; I'll see if I can track it down. – Biannual 12/3, 2017 at 0:15

That's pretty interesting. If this documentation would be for Maven 3.X, it would definitely answer my question. There has to be such a thing for Maven 3... – Engedi 12/3, 2017 at 14:14

Yes, and I see that I have been lulled into complacency assuming that the 2.x super POM carried over. Clearly it does not. – Biannual 12/3, 2017 at 22:57

The Maven 3 super POM is provided by the org.apache.maven.model.superpom.DefaultSuperPomProvider class (github.com/apache/maven/blob/…). The resource it loads can be found here: github.com/apache/maven/blob/… – Biannual 19/3, 2017 at 23:21

As far as i know, this link will answer your question.

Automatic Plugin Version Resolution

When a plugin was invoked without an explicit version given in the POM or on the command line, Maven 2.x used to pick the latest version available where the latest version could either be a release or a snapshot. For the sake of stability, Maven 3.x prefers the latest release version over the latest snapshot version.

Given the threat of non-reproducible builds imposed by automatic plugin version resolution, this feature is scheduled for removal as far as plugin declarations in the POM are concerned. Users of Maven 3.x will find it output a warning when missing plugin versions are detected to encourage the addition of plugin versions to the POM or one of its parent POMs. The Enforcer rule requirePluginVersions can be used additionally check for missing plugin versions in the POM

Aliciaalick answered 27/10, 2015 at 15:10 Comment(1)

I wished this would answer my question. For example, when I do a mvn compile now using Maven 3.3.9, it takes maven-compiler-plugin 2.3.2 but 3.6.1 is the latest release (11 releases later). – Engedi 11/3, 2017 at 9:8

For command line execution if a version is not specified Maven looks up the latest version from the GA (group ID/artifact ID) maven-metadata.xml file.

Example: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-clean-plugin/maven-metadata.xml

If you're encoding command line execution of Maven goals into your builds you should specify a version for these, otherwise your builds may change as new versions of plugins are released.

Motherwort answered 28/10, 2015 at 13:3 Comment(1)

This can't always be the latest. For examble a mvn clean call uses maven-clean-plugin 2.5 but 2.6 2.6.1 and 3.0.0 are already released. – Engedi 28/10, 2015 at 16:47

Recommended topics

Hot tags