build(deps): update target-maven.version [security] by renovate-bot · Pull Request #4468 · googleapis/java-bigtable-hbase

renovate-bot · 2025-01-23T23:09:13Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.apache.maven:maven-core (source)	`3.0` → `3.8.1`
org.apache.maven:maven-plugin-api (source)	`3.0` → `3.9.15`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Origin Validation Error in Apache Maven

CVE-2021-26291 / GHSA-2f88-5hg8-9x2x

More information

Details

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html

Severity

CVSS Score: 9.1 / 10 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

apache/maven (org.apache.maven:maven-plugin-api)

`v3.9.15`

`v3.9.14`

`v3.9.13`

`v3.9.12`: 3.9.12

🚀 New features and improvements

[3.9.x] Apply resolver changes and improvements (#11536) @cstamas
Update formatting of prerequisites-requirements error to improve readability (#11523) @slawekjaranowski
Allow a Maven plugin to require a Java version (#11479) @slawekjaranowski
Use MavenRepositorySystem in ProjectBuildingHelper instead of deprecated RepositorySystem (#11358) @slawekjaranowski
Make maven.config use UTF8 (#11264) @cstamas
Simplify prefix resolution (#11197) @slawekjaranowski

🐛 Bug Fixes

Add default implementation for new method in MavenPluginManager (#11522) @slawekjaranowski
Repository layout should be used in MavenRepositorySystem (#11495) @slawekjaranowski
Fix plugin prefix resolution when metadata is not available from repository (#11290) @slawekjaranowski
Improve source root modification warning message (#11105) @gnodet
Bug: bad cache isolation between two sessions (#11082) @cstamas
Set Guice class loading to CHILD - avoid using terminally deprecated methods (#11003) @slawekjaranowski
Avoid parsing MAVEN_OPTS (3.9.x) (#10969) @BobVul

📝 Documentation updates

clarify repository vs deployment repository (#11492) @hboutemy
add maintained branches (#11448) @hboutemy

👻 Maintenance

Add IntelliJ icon (#11408) @Bukama
Build by JDK 25 (#11187) @slawekjaranowski
Deprecate org.apache.maven.repository.RepositorySystem in 3.9.x (#11096) @slawekjaranowski

🔧 Build

Bump actions/download-artifact from 5.0.0 to 6.0.0 (#11335) @dependabot[bot]
Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#11336) @dependabot[bot]

📦 Dependency updates

Bump actions/cache from 4.3.0 to 5.0.0 (#11542) @dependabot[bot]
Bump resolverVersion from 1.9.24 to 1.9.25 (#11533) @dependabot[bot]
Bump actions/checkout from 6.0.0 to 6.0.1 (#11512) @dependabot[bot]
Bump actions/setup-java from 5.0.0 to 5.1.0 (#11519) @dependabot[bot]
Bump actions/checkout from 5.0.1 to 6.0.0 (#11476) @dependabot[bot]
Bump actions/checkout from 5.0.0 to 5.0.1 (#11458) @dependabot[bot]
Bump commons-cli:commons-cli from 1.10.0 to 1.11.0 (#11438) @dependabot[bot]
Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29 (#11416) @dependabot[bot]
Bump commons-io:commons-io from 2.20.0 to 2.21.0 (#11417) @dependabot[bot]
Bump xmlunitVersion from 2.10.4 to 2.11.0 (#11331) @dependabot[bot]
Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24 to 1.26 (#11231) @dependabot[bot]
Bump org.ow2.asm:asm from 9.8 to 9.9 (#11203) @dependabot[bot]
Bump actions/cache from 4.2.4 to 4.3.0 (#11172) @dependabot[bot]
Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#11143) @dependabot[bot]
Bump xmlunitVersion from 2.10.3 to 2.10.4 (#11121) @dependabot[bot]
Bump actions/cache from 4.2.3 to 4.2.4 (#11032) @dependabot[bot]
Bump commons-cli:commons-cli from 1.9.0 to 1.10.0 (#11018) @dependabot[bot]
Bump commons-io:commons-io from 2.19.0 to 2.20.0 (#10966) @dependabot[bot]

`v3.9.11`: 3.9.11

🚀 New features and improvements

Augment version range resolution used repositories (#2574) @cstamas

🐛 Bug Fixes

Deduplicate filtered dependency graph (#2489) @alzimmermsft
Move ensure in boundaries of project lock (#2470) @cstamas

👻 Maintenance

[MNGSITE-393] - remove references to Maven 2 (#2438) @elharo
Update CONTRIBUTING after GitHub issues enabled (#2449) @slawekjaranowski
Enable Github Issues (3.9.x) (#2414) @Bukama
[MNG-8763] - Remove name from site bannerLeft (#2419) @slawekjaranowski

🔧 Build

Pin GitHub action versions by hash (#10898) @slawekjaranowski
Build the project by JDK 21 as default (#10896) @slawekjaranowski
Use Maven 3.9.10 for build on GitHub (#2452) @slawekjaranowski

📦 Dependency updates

Bump resolverVersion from 1.9.23 to 1.9.24 (#2540) @dependabot[bot]
Bump xmlunitVersion from 2.10.2 to 2.10.3 (#2500) @dependabot[bot]
Bump org.apache.maven:maven-parent from 44 to 45 (#2491) @dependabot[bot]
Bump org.codehaus.mojo:build-helper-maven-plugin from 3.6.0 to 3.6.1 (#2432) @dependabot[bot]

`v3.9.10`: 3.9.10

Release Notes - Maven - Version 3.9.10

Bug

[MNG-8096] - Inconsistent dependency resolution behaviour for concurrent multi-module build can cause failures
[MNG-8169] - MINGW support requires --add-opens java.base/java.lang=ALL-UNNAMED
[MNG-8170] - Maven 3.9.8 contains weird native library for Jansi on Windows/arm64
[MNG-8211] - Maven should fail builds that use CI Friendly versions but have no values set
[MNG-8248] - WARNING: A restricted method in java.lang.System has been called
[MNG-8256] - ProjectDependencyGraph bug: in case of filtering, non-direct module links are lost
[MNG-8315] - Failure of mvn.cmd if a .mvn directory is located at drive root
[MNG-8396] - Maven takes forever to resume
[MNG-8711] - "Duplicate artifact" in LifecycleDependencyResolver

Improvement

[MNG-8370] - Introduce maven.repo.local.head
[MNG-8399] - JDK 24+ issues warning about usage of sun.misc.Unsafe
[MNG-8707] - Add methods to remove compile and test source roots
[MNG-8712] - improve dependency version explanation: it's a requirement, not always effective version
[MNG-8717] - Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding
[MNG-8722] - Use a single standalone version of asm
[MNG-8731] - Use https for xsi:schemaLocation in generated descriptors
[MNG-8734] - Simplify scripting like "get project version" cases

Task

[MNG-8728] - Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use Java 24 on CI

Dependency upgrade

[MNG-8289] - Update Plexus annotations to 2.2.0
[MNG-8443] - Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre
[MNG-8531] - Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0
[MNG-8532] - Bump commons-io:commons-io from 2.16.1 to 2.18.0
[MNG-8534] - Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1
[MNG-8635] - Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3
[MNG-8636] - Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre
[MNG-8640] - Bump org.apache.maven:maven-parent from 43 to 44
[MNG-8661] - Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre
[MNG-8701] - Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
[MNG-8702] - Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0
[MNG-8703] - Bump commons-io:commons-io from 2.18.0 to 2.19.0
[MNG-8704] - Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre
[MNG-8705] - Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0
[MNG-8706] - Bump commons-cli:commons-cli from 1.8.0 to 1.9.0
[MNG-8715] - Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2
[MNG-8716] - Bump resolver to 1.9.23
[MNG-8745] - Bump xmlunitVersion from 2.10.0 to 2.10.2

What's Changed

[MNG-8211] Fail the build if CI Friendly revision used without value by @cstamhttps://github.com/apache/maven/pull/1656l/1656
Add missing since by @cstamhttps://github.com/apache/maven/pull/1682l/1682
[MNG-8256] FilteredProjectDependencyGraph fix for non-transitive case by @cstamhttps://github.com/apache/maven/pull/1724l/1724
[MNG-8315] Failure of mvn.cmd if a .mvn folder is located at drive root by @fmarhttps://github.com/apache/maven/pull/1806l/1806
[MNG-8289] Update Plexus Annotations to 2.2.0 by @dependabhttps://github.com/apache/maven/pull/1666l/1666
[MNG-8370] Add maven.repo.local.head by @slawekjaranowshttps://github.com/apache/maven/pull/1915l/1915
[MNG-8443] Bump com.google.guava:guava from 33.2.1-jre to 33.4.0-jre by @dependabhttps://github.com/apache/maven/pull/1991l/1991
[MNG-8531] Bump org.codehaus.plexus:plexus-utils from 3.5.1 to 3.6.0 by @dependabhttps://github.com/apache/maven/pull/2013l/2013
[MNG-8532] Bump commons-io:commons-io from 2.16.1 to 2.18.0 by @dependabhttps://github.com/apache/maven/pull/1926l/1926
[MNG-8534] Bump org.codehaus.mojo:buildnumber-maven-plugin from 3.2.0 to 3.2.1 by @dependabhttps://github.com/apache/maven/pull/1699l/1699
Add PR Automation action by @slawekjaranowshttps://github.com/apache/maven/pull/2113l/2113
Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 by @dependabhttps://github.com/apache/maven/pull/2167l/2167
Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabhttps://github.com/apache/maven/pull/2168l/2168
[MNG-8640] Bump org.apache.maven:maven-parent from 43 to 44 by @dependabhttps://github.com/apache/maven/pull/2163l/2163
Use Maven 3.9.9 for build maven-3.9.x branch by @slawekjaranowshttps://github.com/apache/maven/pull/2177l/2177
[MNG-8248] Add enable-native-access to startup scripts by @slawekjaranowshttps://github.com/apache/maven/pull/2171l/2171
[MNG-8661] Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre by @dependabhttps://github.com/apache/maven/pull/2185l/2185
Use dedicated local repo for ITs on Jenkins by @slawekjaranowshttps://github.com/apache/maven/pull/2255l/2255
[MNG-8701] Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28 by @dependabhttps://github.com/apache/maven/pull/2240l/2240
[MNG-8702] Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to 2.9.0 by @dependabhttps://github.com/apache/maven/pull/2241l/2241
[MNG-8703] Bump commons-io:commons-io from 2.18.0 to 2.19.0 by @dependabhttps://github.com/apache/maven/pull/2258l/2258
[MNG-8704] Bump com.google.guava:guava from 33.4.6-jre to 33.4.8-jre by @dependabhttps://github.com/apache/maven/pull/2264l/2264
[MNG-8705] Bump commons-jxpath:commons-jxpath from 1.3 to 1.4.0 by @dependabhttps://github.com/apache/maven/pull/2270l/2270
[MNG-8706] Bump commons-cli:commons-cli from 1.8.0 to 1.9.0 by @dependabhttps://github.com/apache/maven/pull/1665l/1665
[MNG-8715] Bump org.fusesource.jansi:jansi from 2.4.1 to 2.4.2 by @dependabhttps://github.com/apache/maven/pull/2280l/2280
[MNG-8707] Add methods to remove compile and test source roots by @gnodhttps://github.com/apache/maven/pull/2275l/2275
[MNG-8712] dependency version is a requirement, not effective by @hboutehttps://github.com/apache/maven/pull/2279l/2279
[MNG-8717] Remove maven-plugin-plugin:addPluginArtifactMetadata from default binding by @slawekjaranowshttps://github.com/apache/maven/pull/2295l/2295
[MNG-8169] Add opens java.base/java.lang=ALL-UNNAMED for MinGW by @slawekjaranowshttps://github.com/apache/maven/pull/2296l/2296
[MNG-8722] Use a single standalone version of asm by @slawekjaranowshttps://github.com/apache/maven/pull/2297l/2297
[MNG-8716] Bump resolver to 1.9.23 by @slawekjaranowshttps://github.com/apache/maven/pull/2282l/2282
[MNG-8731] Use https for xsi:schemaLocation in generated descriptors by @slawekjaranowshttps://github.com/apache/maven/pull/2343l/2343
[MNG-8711] Fix concurrent cache access by @slawekjaranowshttps://github.com/apache/maven/pull/2345l/2345
Update README.md by @slawekjaranowshttps://github.com/apache/maven/pull/2353l/2353
[MNG-8728] Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 by @cstamhttps://github.com/apache/maven/pull/2359l/2359
[MNG-8728] Build ITs on JDK 21, 24 by @slawekjaranowshttps://github.com/apache/maven/pull/2360l/2360
[MNG-8734] Make Maven 3.9.10 ignore --raw-streams option by @cstamhttps://github.com/apache/maven/pull/2361l/2361
Bump xmlunitVersion from 2.10.0 to 2.10.1 by @dependabhttps://github.com/apache/maven/pull/2354l/2354
[MNG-8396] Backport: add cache layer to the filtered dep graph by @cstamhttps://github.com/apache/maven/pull/2393l/2393
[MNG-8745] Bump xmlunitVersion from 2.10.1 to 2.10.2 by @dependabhttps://github.com/apache/maven/pull/2389l/2389

New Contributors

@fmarot made their first contributihttps://github.com/apache/maven/pull/1806l/1806

Full Changelog: apache/maven@maven-3.9.9...maven-3.9.10

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot requested a review from a team January 23, 2025 23:09

product-auto-label Bot added the size: xs Pull request size is extra small. label Jan 23, 2025

trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

product-auto-label Bot added the api: bigtable Issues related to the googleapis/java-bigtable-hbase API. label Jan 23, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 2a3836d to 8e330a0 Compare March 6, 2025 21:52

trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 8e330a0 to 06002d9 Compare March 6, 2025 22:43

trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 6, 2025

renovate-bot force-pushed the renovate/target-maven.version branch from 06002d9 to 86fa0a3 Compare April 1, 2025 12:27