Update maven.version

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.maven:maven-settings-builder (source)	3.0.5 → 3.9.16
org.apache.maven:maven-settings (source)	3.0.5 → 3.9.16
org.apache.maven:maven-artifact (source)	3.0.5 → 3.9.16
org.apache.maven:maven-model (source)	3.0.5 → 3.9.16
org.apache.maven:maven-core (source)	3.0.5 → 3.8.1
org.apache.maven:maven-aether-provider (source)	3.0.5 → 3.3.9
org.apache.maven:maven-plugin-api (source)	3.0.5 → 3.9.16

---

Origin Validation Error in Apache Maven

CVE-2021-26291 / GHSA-2f88-5hg8-9x2x

More information

Details

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Severity

• CVSS Score: 9.1 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-26291
• https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E
• https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
• https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@​%3Cusers.maven.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/04/23/5
• https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@​%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@​%3Cdev.jena.apache.org%3E
• https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@​%3Cdev.jena.apache.org%3E
• https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@​%3Cdev.myfaces.apache.org%3E
• https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@​%3Ccommits.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@​%3Cdev.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@​%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@​%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@​%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@​%3Cissues.karaf.apache.org%3E
• https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://github.com/apache/maven/commit/899465aeec03753ea91e15a79579eab76369c016
• https://github.com/apache/maven/commit/fa79cb22e456cc65522b5bab8c4240fe08c5775f
• https://issues.apache.org/jira/browse/MNG-7116
• https://issues.apache.org/jira/browse/MNG-7117
• https://maven.apache.org/docs/3.8.1/release-notes.html
• https://github.com/advisories/GHSA-2f88-5hg8-9x2x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

apache/maven (org.apache.maven:maven-settings-builder)

v3.9.16: 3.9.16

🐛 Bug Fixes

• Trim threadConfiguration to accept input surrounded with spaces (#​12042) @​slawekjaranowski
• Backport: Maven 3.10.x fixed plugin resolution (#​12022) @​cstamas

📦 Dependency updates

• Bump org.codehaus.plexus:plexus-classworlds from 2.9.0 to 2.11.0 (#​12039) @​dependabot[bot]
• [3.9.x] Bump to parent POM 48 (#​12024) @​cstamas
• Bump commons-io:commons-io from 2.21.0 to 2.22.0 (#​11980) @​dependabot[bot]
• Bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#​11951) @​dependabot[bot]
• Bump actions/cache from 5.0.4 to 5.0.5 (#​11943) @​dependabot[bot]

v3.9.15: 3.9.15

📝 Documentation updates

• Use new Maven logos in documentation (#​11938) @​slawekjaranowski
• document modelVersion only supported value: 4.0.0 (#​11809) @​hboutemy

📦 Dependency updates

• Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#​11932) @​dependabot[bot]
• Bump org.codehaus.plexus:plexus-utils from 3.6.0 to 3.6.1 (#​11876) @​dependabot[bot]
• Bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 (#​11865) @​dependabot[bot]
• Bump actions/cache from 5.0.3 to 5.0.4 (#​11813) @​dependabot[bot]
• Bump actions/download-artifact from 8.0.0 to 8.0.1 (#​11790) @​dependabot[bot]

v3.9.14: 3.9.14

🐛 Bug Fixes

• plexus-testing dependencies should be use in test scope (#​11761) @​slawekjaranowski

📦 Dependency updates

• Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#​11747) @​dependabot[bot]
• Bump actions/download-artifact from 7.0.0 to 8.0.0 (#​11748) @​dependabot[bot]

v3.9.13: 3.9.13

🐛 Bug Fixes

• Bug: SecDispatcher is managed by legacy Plexus DI (#​11711) @​cstamas
• [3.9.x] MavenPluginJavaPrerequisiteChecker: Handle 8/1.8 Java version in ranges as well (#​11577) @​cstamas

👻 Maintenance

• Update Maven plugin versions in default-bindings.xml (#​11721) @​slachiewicz
• Migrate to JUnit 5 - avoid using TestCase (#​11547) @​slawekjaranowski

📦 Dependency updates

• Maven Resolver 1.9.27 (#​11732) @​cstamas
• Bump resolverVersion from 1.9.25 to 1.9.26 (#​11725) @​dependabot[bot]
• Update Maven plugin versions in default-bindings.xml (#​11721) @​slachiewicz
• Bump version.sisu-maven-plugin from 0.9.0.M4 to 1.0.0 (#​11706) @​dependabot[bot]
• Bump actions/cache from 5.0.2 to 5.0.3 (#​11688) @​dependabot[bot]
• Bump org.apache.maven:maven-parent from 45 to 47 (#​11647) @​dependabot[bot]
• Bump actions/checkout from 6.0.1 to 6.0.2 (#​11666) @​dependabot[bot]
• Bump actions/setup-java from 5.1.0 to 5.2.0 (#​11667) @​dependabot[bot]
• Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.26 to 1.27 (#​11658) @​dependabot[bot]
• Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.1 to 3.3.0 (#​11657) @​dependabot[bot]
• Bump actions/cache from 5.0.1 to 5.0.2 (#​11659) @​dependabot[bot]
• Bump org.codehaus.plexus:plexus-testing from 2.0.2 to 2.1.0 (#​11620) @​dependabot[bot]
• Bump org.ow2.asm:asm from 9.9 to 9.9.1 (#​11585) @​slachiewicz
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#​11557) @​dependabot[bot]
• Bump actions/download-artifact from 6.0.0 to 7.0.0 (#​11556) @​dependabot[bot]
• Bump actions/cache from 5.0.0 to 5.0.1 (#​11558) @​dependabot[bot]

v3.9.12: 3.9.12

🚀 New features and improvements

• [3.9.x] Apply resolver changes and improvements (#​11536) @​cstamas
• Update formatting of prerequisites-requirements error to improve readability (#​11523) @​slawekjaranowski
• Allow a Maven plugin to require a Java version (#​11479) @​slawekjaranowski
• Use MavenRepositorySystem in ProjectBuildingHelper instead of deprecated RepositorySystem (#​11358) @​slawekjaranowski
• Make maven.config use UTF8 (#​11264) @​cstamas
• Simplify prefix resolution (#​11197) @​slawekjaranowski

🐛 Bug Fixes

• Add default implementation for new method in MavenPluginManager (#​11522) @​slawekjaranowski
• Repository layout should be used in MavenRepositorySystem (#​11495) @​slawekjaranowski
• Fix plugin prefix resolution when metadata is not available from repository (#​11290) @​slawekjaranowski
• Improve source root modification warning message (#​11105) @​gnodet
• Bug: bad cache isolation between two sessions (#​11082) @​cstamas
• Set Guice class loading to CHILD - avoid using terminally deprecated methods (#​11003) @​slawekjaranowski
• Avoid parsing MAVEN_OPTS (3.9.x) (#​10969) @​BobVul

📝 Documentation updates

• clarify repository vs deployment repository (#​11492) @​hboutemy
• add maintained branches (#​11448) @​hboutemy

👻 Maintenance

• Add IntelliJ icon (#​11408) @​Bukama
• Build by JDK 25 (#​11187) @​slawekjaranowski
• Deprecate org.apache.maven.repository.RepositorySystem in 3.9.x (#​11096) @​slawekjaranowski

🔧 Build

• Bump actions/download-artifact from 5.0.0 to 6.0.0 (#​11335) @​dependabot[bot]
• Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#​11336) @​dependabot[bot]

📦 Dependency updates

• Bump actions/cache from 4.3.0 to 5.0.0 (#​11542) @​dependabot[bot]
• Bump resolverVersion from 1.9.24 to 1.9.25 (#​11533) @​dependabot[bot]
• Bump actions/checkout from 6.0.0 to 6.0.1 (#​11512) @​dependabot[bot]
• Bump actions/setup-java from 5.0.0 to 5.1.0 (#​11519) @​dependabot[bot]
• Bump actions/checkout from 5.0.1 to 6.0.0 (#​11476) @​dependabot[bot]
• Bump actions/checkout from 5.0.0 to 5.0.1 (#​11458) @​dependabot[bot]
• Bump commons-cli:commons-cli from 1.10.0 to 1.11.0 (#​11438) @​dependabot[bot]
• Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29 (#​11416) @​dependabot[bot]
• Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#​11417) @​dependabot[bot]
• Bump xmlunitVersion from 2.10.4 to 2.11.0 (#​11331) @​dependabot[bot]
• Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24 to 1.26 (#​11231) @​dependabot[bot]
• Bump org.ow2.asm:asm from 9.8 to 9.9 (#​11203) @​dependabot[bot]
• Bump actions/cache from 4.2.4 to 4.3.0 (#​11172) @​dependabot[bot]
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#​11143) @​dependabot[bot]
• Bump xmlunitVersion from 2.10.3 to 2.10.4 (#​11121) @​dependabot[bot]
• Bump actions/cache from 4.2.3 to 4.2.4 (#​11032) @​dependabot[bot]
• Bump commons-cli:commons-cli from 1.9.0 to 1.10.0 (#​11018) @​dependabot[bot]
• Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#​10966) @​dependabot[bot]

v3.9.11: 3.9.11

🚀 New features and improvements

• Augment version range resolution used repositories (#​2574) @​cstamas

🐛 Bug Fixes

• Deduplicate filtered dependency graph (#​2489) @​alzimmermsft
• Move ensure in boundaries of project lock (#​2470) @​cstamas

👻 Maintenance

• [MNGSITE-393] - remove references to Maven 2 (#​2438) @​elharo
• Update CONTRIBUTING after GitHub issues enabled (#​2449) @​slawekjaranowski
• Enable Github Issues (3.9.x) (#​2414) @​Bukama
• [MNG-8763] - Remove name from site bannerLeft (#​2419) @​slawekjaranowski

🔧 Build

• Pin GitHub action versions by hash (#​10898) @​slawekjaranowski
• Build the project by JDK 21 as default (#​10896) @​slawekjaranowski
• Use Maven 3.9.10 for build on GitHub (#​2452) @​slawekjaranowski

📦 Dependency updates

• Bump resolverVersion from 1.9.23 to 1.9.24 (#​2540) @​dependabot[bot]
• Bump xmlunitVersion from 2.10.2 to 2.10.3 (#​2500) @​dependabot[bot]
• Bump org.apache.maven:maven-parent from 44 to 45 (#​2491) @​dependabot[bot]
• Bump org.codehaus.mojo:build-helper-maven-plugin from 3.6.0 to 3.6.1 (#​2432) @​dependabot[bot]

v3.9.10: 3.9.10

Release Notes - Maven - Version 3.9.10

Bug

• [MNG-8096] - Inconsistent dependency resolution behaviour for concurrent multi-module build can cause failures
• [MNG-8169] - MINGW support requires --add-opens java.base/java.lang=ALL-UNNAMED
• [MNG-8170] - Maven 3.9.8 contains weird native library for Jansi on Windows/arm64
• [MNG-8211] - Maven should fail builds that use CI Friendly versions but have no values set
• [MNG-8248] - WARNING: A restricted method in java.lang.System has been called
• [MNG-8256] - ProjectDependencyGraph bug: in case of filtering, non-direct module links are lost
• [MNG-8315] - Failure of mvn.cmd if a .mvn directory is located at drive root
• [MNG-8396] - Maven takes forever to resume
• [MNG-8711] - "Duplicate artifact" in LifecycleDependencyResolver

Improvement

• [MNG-8370] - Introduce maven.repo.local.head
• [MNG-8399] - JDK 24+ issues warning about usage of sun.misc.Unsafe
• [MNG-8707] - Add methods to remove compile and test source roots
• [MNG-8712] - improve dependency version explanation: it&#​39;s a requirement, not always effective version
• [MNG-8717] - Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding
• [MNG-8722] - Use a single standalone version of asm
• [MNG-8731] - Use https for xsi:schemaLocation in generated descriptors
• [MNG-8734] - Simplify scripting like "get project version" cases

Task

• [MNG-8728] - Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use Java 24 on CI

Dependency upgrade

• [MNG-8289] - Update Plexus annotations to 2.2.0
• [MNG-8443] - Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre
• [MNG-8531] - Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0
• [MNG-8532] - Bump commons-io:commons-io from 2.16.1 to 2.18.0
• [MNG-8534] - Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1
• [MNG-8635] - Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3
• [MNG-8636] - Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre
• [MNG-8640] - Bump org.apache.maven:maven-parent from 43 to 44
• [MNG-8661] - Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre
• [MNG-8701] - Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
• [MNG-8702] - Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0
• [MNG-8703] - Bump commons-io:commons-io from 2.18.0 to 2.19.0
• [MNG-8704] - Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre
• [MNG-8705] - Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0
• [MNG-8706] - Bump commons-cli:commons-cli from 1.8.0 to 1.9.0
• [MNG-8715] - Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2
• [MNG-8716] - Bump resolver to 1.9.23
• [MNG-8745] - Bump xmlunitVersion from 2.10.0 to 2.10.2

What's Changed

• [MNG-8211] Fail the build if CI Friendly revision used without value by @​cstamhttps://github.com/apache/maven/pull/1656l/1656
• Add missing since by @​cstamhttps://github.com/apache/maven/pull/1682l/1682
• [MNG-8256] FilteredProjectDependencyGraph fix for non-transitive case by @​cstamhttps://github.com/apache/maven/pull/1724l/1724
• [MNG-8315] Failure of mvn.cmd if a .mvn folder is located at drive root by @​fmarhttps://github.com/apache/maven/pull/1806l/1806
• [MNG-8289] Update Plexus Annotations to 2.2.0 by @​dependabhttps://github.com/apache/maven/pull/1666l/1666
• [MNG-8370] Add maven.repo.local.head by @​slawekjaranowshttps://github.com/apache/maven/pull/1915l/1915
• [MNG-8443] Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre by @​dependabhttps://github.com/apache/maven/pull/1991l/1991
• [MNG-8531] Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0 by @​dependabhttps://github.com/apache/maven/pull/2013l/2013
• [MNG-8532] Bump commons-io:commons-io from 2.16.1 to 2.18.0 by @​dependabhttps://github.com/apache/maven/pull/1926l/1926
• [MNG-8534] Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1 by @​dependabhttps://github.com/apache/maven/pull/1699l/1699
• Add PR Automation action by @​slawekjaranowshttps://github.com/apache/maven/pull/2113l/2113
• Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 by @​dependabhttps://github.com/apache/maven/pull/2167l/2167
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @​dependabhttps://github.com/apache/maven/pull/2168l/2168
• [MNG-8640] Bump org.apache.maven:maven-parent from 43 to 44 by @​dependabhttps://github.com/apache/maven/pull/2163l/2163
• Use Maven 3.9.9 for build maven-3.9.x branch by @​slawekjaranowshttps://github.com/apache/maven/pull/2177l/2177
• [MNG-8248] Add enable-native-access to startup scripts by @​slawekjaranowshttps://github.com/apache/maven/pull/2171l/2171
• [MNG-8661] Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre by @​dependabhttps://github.com/apache/maven/pull/2185l/2185
• Use dedicated local repo for ITs on Jenkins by @​slawekjaranowshttps://github.com/apache/maven/pull/2255l/2255
• [MNG-8701] Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28 by @​dependabhttps://github.com/apache/maven/pull/2240l/2240
• [MNG-8702] Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0 by @​dependabhttps://github.com/apache/maven/pull/2241l/2241
• [MNG-8703] Bump commons-io:commons-io from 2.18.0 to 2.19.0 by @​dependabhttps://github.com/apache/maven/pull/2258l/2258
• [MNG-8704] Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre by @​dependabhttps://github.com/apache/maven/pull/2264l/2264
• [MNG-8705] Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0 by @​dependabhttps://github.com/apache/maven/pull/2270l/2270
• [MNG-8706] Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 by @​dependabhttps://github.com/apache/maven/pull/1665l/1665
• [MNG-8715] Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2 by @​dependabhttps://github.com/apache/maven/pull/2280l/2280
• [MNG-8707] Add methods to remove compile and test source roots by @​gnodhttps://github.com/apache/maven/pull/2275l/2275
• [MNG-8712] dependency version is a requirement, not effective by @​hboutehttps://github.com/apache/maven/pull/2279l/2279
• [MNG-8717] Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding by @​slawekjaranowshttps://github.com/apache/maven/pull/2295l/2295
• [MNG-8169] Add opens java.base/java.lang=ALL-UNNAMED for MinGW by @​slawekjaranowshttps://github.com/apache/maven/pull/2296l/2296
• [MNG-8722] Use a single standalone version of asm by @​slawekjaranowshttps://github.com/apache/maven/pull/2297l/2297
• [MNG-8716] Bump resolver to 1.9.23 by @​slawekjaranowshttps://github.com/apache/maven/pull/2282l/2282
• [MNG-8731] Use https for xsi:schemaLocation in generated descriptors by @​slawekjaranowshttps://github.com/apache/maven/pull/2343l/2343
• [MNG-8711] Fix concurrent cache access by @​slawekjaranowshttps://github.com/apache/maven/pull/2345l/2345
• Update README.md by @​slawekjaranowshttps://github.com/apache/maven/pull/2353l/2353
• [MNG-8728] Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 by @​cstamhttps://github.com/apache/maven/pull/2359l/2359
• [MNG-8728] Build ITs on JDK 21, 24 by @​slawekjaranowshttps://github.com/apache/maven/pull/2360l/2360
• [MNG-8734] Make Maven 3.9.10 ignore --raw-streams option by @​cstamhttps://github.com/apache/maven/pull/2361l/2361
• Bump xmlunitVersion from 2.10.0 to 2.10.1 by @​dependabhttps://github.com/apache/maven/pull/2354l/2354
• [MNG-8396] Backport: add cache layer to the filtered dep graph by @​cstamhttps://github.com/apache/maven/pull/2393l/2393
• [MNG-8745] Bump xmlunitVersion from 2.10.1 to 2.10.2 by @​dependabhttps://github.com/apache/maven/pull/2389l/2389

New Contributors

• @​fmarot made their first contributihttps://github.com/apache/maven/pull/1806l/1806

Full Changelog: apache/maven@maven-3.9.9...maven-3.9.10

v3.9.9: 3.9.9

Release Notes - Maven - Version 3.9.9

Bug

• [MNG-8159] - Fix search for topDirectory when using -f / --file for Maven 3.9.x
• [MNG-8165] - Maven does not find extensions for -f when current dir is root
• [MNG-8177] - Warning "&#​39;dependencyManagement.dependencies.dependency.systemPath&#​39; for com.sun:tools:jar refers to a non-existing file C:\Temp\jdk-11.0.23\..\lib\tools.jar"
• [MNG-8178] - Profile activation based on OS properties is broken for "mvn site"
• [MNG-8180] - Resolver will blindly assume it is deploying a plugin by presence of META-INF/maven/plugins.xml in JAR
• [MNG-8182] - Missing or mismatching Trusted Checksum for some artifacts is not properly reported
• [MNG-8188] - [REGRESSION] Property not resolved in profile pluginManagement

Task

• [MNG-8206] - Remove Maven 2.1 (v 2.0) compatibility bits

Dependency upgrade

• [MNG-8175] - Resolver 1.9.21
• [MNG-8179] - Upgrade Parent to 43
• [MNG-8193] - Resolver 1.9.22
• [MNG-8198] - (build) Animal Sniffer 1.24
• [MNG-8199] - Hamcrest 3.0

What's Changed

• [MNG-8159] Fix search for topDirectory when using -f / --file by @​gzmhttps://github.com/apache/maven/pull/1589l/1589
• [MNG-7194] Test missing property evaluation by @​pzygiehttps://github.com/apache/maven/pull/1570l/1570
• [3.9.x] [MNG-8175] Update Resolver to 1.9.21 by @​cstamhttps://github.com/apache/maven/pull/1598l/1598
• [MNG-8178] Fall back to system properties for missing profile activation context properties by @​kohlschuetthttps://github.com/apache/maven/pull/1603l/1603
• [MNG-8179] Upgrade Parent to 43 by @​slawekjaranowshttps://github.com/apache/maven/pull/1610l/1610
• [MNG-8180] Fail install/deploy if rogue Maven Plugin metadata found by @​cstamhttps://github.com/apache/maven/pull/1611l/1611
• [3.9.x][MNG-8193] Update to Resolver 1.9.22 by @​cstamhttps://github.com/apache/maven/pull/1627l/1627
• [MNG-8199] Hamcrest 3.0 by @​cstamhttps://github.com/apache/maven/pull/1631l/1631
• [MNG-8182] Resolved errors were created based on collect exceptions by @​cstamhttps://github.com/apache/maven/pull/1632l/1632
• [MNG-8180] Handle NPE due non-existent tags by @​cstamhttps://github.com/apache/maven/pull/1641l/1641
• [MNG-8180] Back out from failing the build by @​cstamhttps://github.com/apache/maven/pull/1642l/1642
• [MNG-8206] Remove bad plugin.xml from maven-compat by @​cstamhttps://github.com/apache/maven/pull/1646l/1646
• [MNG-8177] Add contextual info for model warnings by @​cstamhttps://github.com/apache/maven/pull/1633l/1633
• [MNG-8188] Profile properties are not interpolated by @​cstamhttps://github.com/apache/maven/pull/1634l/1634
• [MNG-8165] Align mvn.sh script with mvn.cmd by @​cstamhttps://github.com/apache/maven/pull/1647l/1647
• [MNG-8165] Get rid of bashism creeped in by @​cstamhttps://github.com/apache/maven/pull/1653l/1653

New Contributors

• @​gzm55 made their first contributihttps://github.com/apache/maven/pull/1589l/1589
• @​kohlschuetter made their first contributihttps://github.com/apache/maven/pull/1603l/1603

Full Changelog: apache/maven@maven-3.9.8...maven-3.9.9

v3.9.8: 3.9.8

Release Notes - Maven - Version 3.9.8

Bug

• [MNG-7758] - o.e.aether.resolution.ArtifactResolutionException incorrectly examined when multiple repositories are involved
• [MNG-8066] - Maven hangs on self-referencing exceptions
• [MNG-8116] - Plugin configuration can randomly fail in case of method overloading as it doesn&#​39;t take into account implementation attribute
• [MNG-8131] - Property replacement in dependency pom no longer works
• [MNG-8135] - Profile activation based on OS properties is no longer case insensitive
• [MNG-8142] - If JDK profile activator gets "invalid" JDK version for whatever reason, it chokes but does not tell why
• [MNG-8147] - Profile interpolation broke their evaluation in case of duplicate IDs

Improvement

• [MNG-7902] - Sort plugins in validation report
• [MNG-8140] - When a model is discarded (by model builder) for whatever reason, show why it happened
• [MNG-8141] - Model Builder should report if not sure about "fully correct" outcome
• [MNG-8150] - Make SimplexTransferListener handle absent source/target files

Task

• [MNG-8146] - Drop use of commons-lang

Dependency upgrade

• [MNG-8136] - Update to Eclipse Sisu 0.9.0.M3
• [MNG-8143] - Update to commons-cli 1.8.0
• [MNG-8144] - Update to Guava 32.2.1-jre
• [MNG-8154] - Upgrade default plugin bindings

---

What's Changed

• Use Maven Wrapper to build by @​slawekjaranowski in #​1553
• [3.9.x] [MNG-8136] Update Eclipse Sisu to 0.9.0.M3 by @​cstamas in #​1547
• [MNG-8135] Profile activation based on OS properties is no longer case insensitive by @​cstamas in #​1561
• [3.9.x] Dependency updates by [@​cstamas](https

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.