pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2021Q3]: pkgsrc/devel/apache-maven Pullup ticket #6518 - reque...
details: https://anonhg.NetBSD.org/pkgsrc/rev/5932b1f6a4e0
branches: pkgsrc-2021Q3
changeset: 768252:5932b1f6a4e0
user: tm <tm%pkgsrc.org@localhost>
date: Sat Oct 16 20:29:42 2021 +0000
description:
Pullup ticket #6518 - requested by wiz
devel/apache-maven: security fix
Revisions pulled up:
- devel/apache-maven/Makefile 1.18
- devel/apache-maven/PLIST 1.12
- devel/apache-maven/distinfo 1.20
- devel/apache-maven/patches/patch-bin_mvn 1.9
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Oct 8 15:08:21 UTC 2021
Modified Files:
pkgsrc/devel/apache-maven: Makefile PLIST distinfo
pkgsrc/devel/apache-maven/patches: patch-bin_mvn
Log Message:
apache-maven: update to 3.8.3.
3.8.3
** Bug
* [MNG-7045] - Drop CDI API from Maven
* [MNG-7214] - Bad transitive dependency parent from CDI API
* [MNG-7215] - [Regression] Maven Site Plugin cannot resolve parent site descriptor without locale
* [MNG-7216] - Revert MNG-7170
* [MNG-7218] - [Regression] o.a.m.model.Build.getSourceDirectory() incorrectly returns absolute dir on 3.8.2
* [MNG-7219] - [Regression] plexus-cipher missing from transitive dependencies
* [MNG-7220] - [REGRESSION] test-classpath incorrectly resolved
* [MNG-7251] - Fix threadLocalArtifactsHolder leaking into cloned project
* [MNG-7253] - Relocation message is never shown
** New Feature
* [MNG-7164] - Add constructor MojoExecutionException(Throwable)
** Improvement
* [MNG-7235] - Speed improvements when calculating the sorted project graph
* [MNG-7236] - The DefaultPluginVersionResolver should cache results for the session
** Task
* [MNG-7252] - Fix warnings issued by dependency:analyze
* [MNG-7254] - Expand Windows native libraries for Jansi due to JDK-8195129 (workaround)
3.8.2
** Sub-task
* [MNG-6281] - ArrayIndexOutOfBoundsException caused by pom.xml with invalid/duplicate XML
** Bug
* [MNG-4706] - Multithreaded building can create bad files for downloaded artifacts in local repository
* [MNG-5307] - NPE during resolution of dependencies - parallel mode
* [MNG-5315] - Artifact resolution sporadically fails in parallel builds
* [MNG-5838] - Maven on No-File-Lock Systems
* [MNG-5868] - Adding serval times the same artifact via MavenProjectHelper (attachArtifact) keep adding to the List duplicate artifacts
* [MNG-6071] - GetResource ('/) returns 'null' if build is started with -f
* [MNG-6216] - ArrayIndexOutOfBoundsException when parsing POM
* [MNG-6239] - Jansi messes up System.err and System.out
* [MNG-6380] - Option -Dstyle.color=always doesn't force color output
* [MNG-6604] - Intermittent failures while downloading GAVs from Nexus
* [MNG-6648] - 'mavenrc_pre' script does not receive arguments like mavenrc in Bourne shell does
* [MNG-6719] - mvn color output escape keys w/ "| tee xxx.log" on Win with git/bash
* [MNG-6737] - StackOverflowError when version ranges are unsolvable and graph contains a cycle
* [MNG-6767] - Plugin with ${project.groupId} resolved improperly
* [MNG-6819] - NullPointerException for DefaultArtifactDescriptorReader.loadPom
* [MNG-6828] - DependencyResolutionException breaks serialization
* [MNG-6842] - ProjectBuilderTest uses Guava, but Guava is not defined in dependencies
* [MNG-6843] - Parallel build fails due to missing JAR artifacts in compilePath
* [MNG-6850] - Prevent printing the EXEC_DIR when it's just a disk letter
* [MNG-6921] - Maven compile with properties ${artifactId} and ${project.build.finalName} occurs java.lang.NullPointerException
* [MNG-6937] - StringSearchModelInterpolatorTest fails on symlinked paths
* [MNG-6964] - Maven version sorting is internally inconsistent
* [MNG-6983] - Plugin key can get out of sync with artifactId and groupId
* [MNG-7000] - metadata.mdo contains invalid link to schema
* [MNG-7032] - Option -B still showing formatting when used with --version
* [MNG-7034] - StackOverflowError thrown if a cycle exists in BOM imports
* [MNG-7090] - mvnDebug does not work on Java 11+
* [MNG-7127] - NullPointerException in MavenCliTest.testStyleColors in JDK 16
* [MNG-7155] - make sources jar reproducible (upgrade maven-source-plugin to 3.2.1)
* [MNG-7161] - Error thrown during uninstalling of JAnsi
** New Feature
* [MNG-7149] - Introduce MAVEN_DEBUG_ADDRESS in mvnDebug scripts
** Improvement
* [MNG-2802] - Concurrent-safe access to local Maven repository
* [MNG-6471] - Parallel builder should use the module name as thread name
* [MNG-6754] - Set the same timestamp in multi module builds
* [MNG-6810] - Remove profiles in maven-model
* [MNG-6811] - Remove unnecessary filtering configuration
* [MNG-6816] - Prefer System.lineSeparator() over system properties
* [MNG-6827] - Replace deprecated StringUtils#defaultString() from Plexus Utils
* [MNG-6837] - Simplify detection of the MAVEN_HOME and make it fully qualified on Windows
* [MNG-6844] - Use StandardCharsets and remove outdated @SuppressWarnings
* [MNG-6853] - Don't box primitives where it's not needed
* [MNG-6859] - Build not easily reproducible when built from source release archive
* [MNG-6873] - Inconsistent library versions notice
* [MNG-6967] - Improve the command line output from maven-artifact
* [MNG-6987] - Reorder groupId before artifactId when writing an exclusion using maven-model
* [MNG-7010] - Omit "NB: JAVA_HOME should point to a JDK not a JRE" except when that is the problem
* [MNG-7064] - Use HTTPS for schema location in global settings.xml
* [MNG-7080] - Add a --color option
* [MNG-7170] - Allow to associate pomFile/${basedir} with DefaultProjectBuilder.build(ModelSource, ...)
* [MNG-7180] - Make --color option behave more like BSD/GNU grep's --color option
* [MNG-7181] - Make --version support -q
* [MNG-7185] - Describe explicit and recommended version for VersionRange.createFromVersionSpec()
* [MNG-7190] - Load mavenrc from /usr/local/etc also in Bourne shell script
** Task
* [MNG-6598] - Maven 3.6.0 and Surefire problem
* [MNG-6884] - Cleanup POM File after version upgrade
* [MNG-7172] - Remove expansion of Jansi native libraries
* [MNG-7184] - document .mavenrc/maven_pre.bat|cmd scripts and
MAVEN_SKIP_RC environment variable
3.8.1
This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh
and Olaf Flebbe.
One of the changes that might impact your builds is the way custom repositories defined in
dependency POMs will be handled.
By default external insecure repositories will now be blocked (localhost over HTTP will still
work).
Configuration can be adjusted via the conf/settings.xml.
Release Notes - Maven - Version 3.8.1
** Bug
* [MNG-7128] - improve error message when blocked repository defined in build POM
** New Feature
* [MNG-7116] - Add support for mirror selector on external:http:*
* [MNG-7117] - Add support for blocking mirrors
* [MNG-7118] - Block external HTTP repositories by default
** Dependency upgrade
* [MNG-7119] - Upgrade Maven Wagon to 3.4.3
* [MNG-7123] - Upgrade Maven Resolver to 1.6.2
diffstat:
devel/apache-maven/Makefile | 5 +--
devel/apache-maven/PLIST | 48 +++++++++++++++----------------
devel/apache-maven/distinfo | 12 ++++----
devel/apache-maven/patches/patch-bin_mvn | 15 ++++-----
4 files changed, 38 insertions(+), 42 deletions(-)
diffs (153 lines):
diff -r 8fd274fe0152 -r 5932b1f6a4e0 devel/apache-maven/Makefile
--- a/devel/apache-maven/Makefile Sat Oct 16 18:52:17 2021 +0000
+++ b/devel/apache-maven/Makefile Sat Oct 16 20:29:42 2021 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.17 2020/06/29 12:39:54 yyamano Exp $
-#
+# $NetBSD: Makefile,v 1.17.10.1 2021/10/16 20:29:42 tm Exp $
-DISTNAME= apache-maven-3.6.3
+DISTNAME= apache-maven-3.8.3
CATEGORIES= devel java
MASTER_SITES= ${MASTER_SITE_APACHE:=maven/maven-3/${PKGVERSION_NOREV}/binaries/}
DISTFILES= ${DISTNAME}-bin${EXTRACT_SUFX}
diff -r 8fd274fe0152 -r 5932b1f6a4e0 devel/apache-maven/PLIST
--- a/devel/apache-maven/PLIST Sat Oct 16 18:52:17 2021 +0000
+++ b/devel/apache-maven/PLIST Sat Oct 16 20:29:42 2021 +0000
@@ -1,17 +1,15 @@
-@comment $NetBSD: PLIST,v 1.11 2020/06/29 12:39:54 yyamano Exp $
+@comment $NetBSD: PLIST,v 1.11.10.1 2021/10/16 20:29:42 tm Exp $
bin/mvn
lib/java/maven/boot/plexus-classworlds-2.6.0.jar
-lib/java/maven/cdi-api-1.0.jar
lib/java/maven/commons-cli-1.4.jar
-lib/java/maven/commons-io-2.5.jar
+lib/java/maven/commons-io-2.6.jar
lib/java/maven/commons-lang3-3.8.1.jar
lib/java/maven/guava-25.1-android.jar
-lib/java/maven/guice-4.2.1-no_aop.jar
-lib/java/maven/jansi-1.17.1.jar
+lib/java/maven/guice-4.2.2-no_aop.jar
+lib/java/maven/jansi-2.3.4.jar
+lib/java/maven/javax.annotation-api-1.2.jar
lib/java/maven/javax.inject-1.jar
-lib/java/maven/jcl-over-slf4j-1.7.29.jar
-lib/java/maven/jsoup-1.12.1.jar
-lib/java/maven/jsr250-api-1.0.jar
+lib/java/maven/jcl-over-slf4j-1.7.32.jar
lib/java/maven/maven-artifact-${PKGVERSION}.jar
lib/java/maven/maven-builder-support-${PKGVERSION}.jar
lib/java/maven/maven-compat-${PKGVERSION}.jar
@@ -21,28 +19,28 @@
lib/java/maven/maven-model-builder-${PKGVERSION}.jar
lib/java/maven/maven-plugin-api-${PKGVERSION}.jar
lib/java/maven/maven-repository-metadata-${PKGVERSION}.jar
-lib/java/maven/maven-resolver-api-1.4.1.jar
-lib/java/maven/maven-resolver-connector-basic-1.4.1.jar
-lib/java/maven/maven-resolver-impl-1.4.1.jar
+lib/java/maven/maven-resolver-api-1.6.3.jar
+lib/java/maven/maven-resolver-connector-basic-1.6.3.jar
+lib/java/maven/maven-resolver-impl-1.6.3.jar
lib/java/maven/maven-resolver-provider-${PKGVERSION}.jar
-lib/java/maven/maven-resolver-spi-1.4.1.jar
-lib/java/maven/maven-resolver-transport-wagon-1.4.1.jar
-lib/java/maven/maven-resolver-util-1.4.1.jar
+lib/java/maven/maven-resolver-spi-1.6.3.jar
+lib/java/maven/maven-resolver-transport-wagon-1.6.3.jar
+lib/java/maven/maven-resolver-util-1.6.3.jar
lib/java/maven/maven-settings-${PKGVERSION}.jar
lib/java/maven/maven-settings-builder-${PKGVERSION}.jar
-lib/java/maven/maven-shared-utils-3.2.1.jar
+lib/java/maven/maven-shared-utils-3.3.4.jar
lib/java/maven/maven-slf4j-provider-${PKGVERSION}.jar
-lib/java/maven/org.eclipse.sisu.inject-0.3.4.jar
-lib/java/maven/org.eclipse.sisu.plexus-0.3.4.jar
-lib/java/maven/plexus-cipher-1.7.jar
+lib/java/maven/org.eclipse.sisu.inject-0.3.5.jar
+lib/java/maven/org.eclipse.sisu.plexus-0.3.5.jar
+lib/java/maven/plexus-cipher-2.0.jar
lib/java/maven/plexus-component-annotations-2.1.0.jar
-lib/java/maven/plexus-interpolation-1.25.jar
-lib/java/maven/plexus-sec-dispatcher-1.4.jar
-lib/java/maven/plexus-utils-3.2.1.jar
-lib/java/maven/slf4j-api-1.7.29.jar
-lib/java/maven/wagon-file-3.3.4.jar
-lib/java/maven/wagon-http-3.3.4-shaded.jar
-lib/java/maven/wagon-provider-api-3.3.4.jar
+lib/java/maven/plexus-interpolation-1.26.jar
+lib/java/maven/plexus-sec-dispatcher-2.0.jar
+lib/java/maven/plexus-utils-3.3.0.jar
+lib/java/maven/slf4j-api-1.7.32.jar
+lib/java/maven/wagon-file-3.4.3.jar
+lib/java/maven/wagon-http-3.4.3-shaded.jar
+lib/java/maven/wagon-provider-api-3.4.3.jar
share/doc/java/maven/LICENSE
share/doc/java/maven/NOTICE
share/doc/java/maven/README.txt
diff -r 8fd274fe0152 -r 5932b1f6a4e0 devel/apache-maven/distinfo
--- a/devel/apache-maven/distinfo Sat Oct 16 18:52:17 2021 +0000
+++ b/devel/apache-maven/distinfo Sat Oct 16 20:29:42 2021 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.18 2020/06/29 12:39:54 yyamano Exp $
+$NetBSD: distinfo,v 1.18.10.1 2021/10/16 20:29:42 tm Exp $
-SHA1 (apache-maven-3.6.3-bin.tar.gz) = cc836dc7e64b113472df31996caaedf132969009
-RMD160 (apache-maven-3.6.3-bin.tar.gz) = 825e2cca16a72da4bb0a4b5add615e155623c05e
-SHA512 (apache-maven-3.6.3-bin.tar.gz) = c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0
-Size (apache-maven-3.6.3-bin.tar.gz) = 9506321 bytes
+SHA1 (apache-maven-3.8.3-bin.tar.gz) = cbd24fbfa9845e72f1ca01b8571b5db5bde6c333
+RMD160 (apache-maven-3.8.3-bin.tar.gz) = 4b7b377a826109775cf6dfb3a9f7fac65842ee66
+SHA512 (apache-maven-3.8.3-bin.tar.gz) = 1c12a5df43421795054874fd54bb8b37d242949133b5bf6052a063a13a93f13a20e6e9dae2b3d85b9c7034ec977bbc2b6e7f66832182b9c863711d78bfe60faa
+Size (apache-maven-3.8.3-bin.tar.gz) = 9042049 bytes
SHA1 (patch-bin_m2.conf) = 4fb50adbfb744635281853f0b81ec95a5fdab504
-SHA1 (patch-bin_mvn) = 30a0eb33a803eb3ace2f602f6fbb184c9bdeb969
+SHA1 (patch-bin_mvn) = 2efaaa95837cc0a626161d5fb9903e0a3f353c0f
diff -r 8fd274fe0152 -r 5932b1f6a4e0 devel/apache-maven/patches/patch-bin_mvn
--- a/devel/apache-maven/patches/patch-bin_mvn Sat Oct 16 18:52:17 2021 +0000
+++ b/devel/apache-maven/patches/patch-bin_mvn Sat Oct 16 20:29:42 2021 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-bin_mvn,v 1.8 2020/05/22 04:31:48 markd Exp $
+$NetBSD: patch-bin_mvn,v 1.8.12.1 2021/10/16 20:29:42 tm Exp $
Reconcile JAVA_HOME evaluated at run time on Darwin vs. hardcoded
via PKG_JAVA_HOME elsewhere.
Follow pkgsrc path convention.
---- bin/mvn.orig 2018-06-17 18:30:11.000000000 +0000
+--- bin/mvn.orig 2021-09-27 18:25:22.000000000 +0000
+++ bin/mvn
-@@ -42,9 +42,11 @@ fi
+@@ -46,9 +46,11 @@ fi
# OS specific support. $var _must_ be set to either true or false.
cygwin=false;
mingw=false;
@@ -18,7 +18,7 @@
esac
## resolve links - $0 may be a link to Maven's home
-@@ -89,12 +91,17 @@ if $mingw ; then
+@@ -93,19 +95,24 @@ if $mingw ; then
# TODO classpath?
fi
@@ -37,9 +37,8 @@
+JAVACMD="$JAVA_HOME/bin/java"
+
if [ ! -x "$JAVACMD" ] ; then
- echo "The JAVA_HOME environment variable is not defined correctly" >&2
- echo "This environment variable is needed to run this program" >&2
-@@ -102,7 +109,7 @@ if [ ! -x "$JAVACMD" ] ; then
+ echo "The JAVA_HOME environment variable is not defined correctly," >&2
+ echo "this environment variable is needed to run this program." >&2
exit 1
fi
@@ -48,7 +47,7 @@
CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
# For Cygwin, switch paths to Windows format before running java
-@@ -192,8 +199,10 @@ exec "$JAVACMD" \
+@@ -195,8 +202,10 @@ exec "$JAVACMD" \
$MAVEN_OPTS \
$MAVEN_DEBUG_OPTS \
-classpath "${CLASSWORLDS_JAR}" \
Home |
Main Index |
Thread Index |
Old Index