This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 247988 - Update to Maven 3.3.9
Summary: Update to Maven 3.3.9
Alias: None
Product: projects
Classification: Unclassified
Component: Maven (show other bugs)
Version: 8.0.1
Hardware: PC Windows 7
: P1 normal with 11 votes (vote)
Assignee: Tomas Stupka
: 245829 249253 252496 255325 (view as bug list)
Depends on:
Blocks: 268828
  Show dependency tree
Reported: 2014-10-16 20:01 UTC by peathal
Modified: 2017-08-28 20:11 UTC (History)
9 users (show)

See Also:
Exception Reporter:


Note You need to log in before you can comment on or make changes to this bug.
Description peathal 2014-10-16 20:01:30 UTC
It would be important to upgrade to maven 3.2.3 as older versions are less secure:
"The primary motivation for this quick release is to provide HTTPS access to Maven Central by default." taken from the release notes:

Of course I could switch to a local maven installation but then I have trouble with compile on save. See
Comment 1 peathal 2014-10-17 14:26:15 UTC
Here some background information why I think this is P1:

Otherwise this is insecure for ALL maven users of NetBeans. Before 3.2.3 Jars were fetched via HTTP, which is not really good:

here is sonatype's response:
Comment 2 Tomas Stupka 2014-10-24 14:47:11 UTC
Doing a maven upgrade typically comes with the extra cost of incombatibility issues either on code level or with broken feature behavior and while focusing on other priorities, we have to be careful about pulling in a possible earthquake with side effects potentially popping up moths later. 

upgrading the bundled maven is just a question of time, but at the moment it is still open in what time horizon this will happen.
Comment 3 Milos Kleint 2014-10-25 06:12:28 UTC
The embedded maven usage has a fairly low profile when it comes to the networking code in maven. Basically if you set a new maven in tools/options and avoid triggering the "download dependencies" or "download source/javadoc", you are more or less safe as the embedded code mostly works in offline mode for performance reasons.

I suppose the download actions could be rewritten to use external maven as well and we could get rid of onlineembedder altogether.
Comment 4 markiewb 2015-05-09 15:15:20 UTC
*** Bug 249253 has been marked as a duplicate of this bug. ***
Comment 5 markiewb 2015-05-09 15:15:57 UTC
*** Bug 245829 has been marked as a duplicate of this bug. ***
Comment 6 Tomas Stupka 2015-05-20 08:20:12 UTC
*** Bug 252496 has been marked as a duplicate of this bug. ***
Comment 7 bondolo 2015-08-18 15:03:27 UTC
Many current maven plugins require newer versions of Maven than the 3.0.3 bundled with NetBeans 8.0.X. It was rather surprising to see that NetBeans 8.1 Beta only bundled 3.0.5.

Is there a compelling reason to use 4 or 3 year old versions of maven vs something more current? For the plugins we are using our minimum is 3.2 and this seems pretty typical. It is a hassle to have every developer install maven and configure netbeans to use the installed version rather than the bundled version because netbeans is bundling some ancient release.
Comment 8 peathal 2016-01-07 11:52:34 UTC
I would like to ask if someone at Netbeans could re-evaluate if this is now worth the effort: 

 * This is a security issue as explained in the first two comments
 * Already 5 votes and marked as P1
 * Several duplicates indicating a real priority from the community
 * Maven 3.3.9 is out and the bundled version is 3 years old
 * Still not fixed in 8.1
Comment 9 Geertjan Wielenga 2016-01-27 19:48:30 UTC
For 8.2, we're investigating the work to be done to upgrade to the latest Maven, Maven Indexer, and Lucene.
Comment 10 terje7601 2016-02-16 07:31:15 UTC
Please also investigate adding support for Maven features such as toolchains.xml (bug 189496), transitive dependency excludes (bug 250449) and project-specific jvm and command line options (bug 254716). While I fully agree this is an important issue, it is something that can easily be worked around, whereas NetBeans-specific support for Maven features isn't.
Comment 11 markiewb 2016-05-11 19:40:23 UTC
Change title back to "Update to Maven 3.2.3" after SPAM-attack
Comment 12 Tomas Stupka 2016-06-23 10:03:59 UTC
*** Bug 255325 has been marked as a duplicate of this bug. ***
Comment 13 Tomas Stupka 2016-11-02 13:49:31 UTC
fixed in jet-main #0062c8194dcc
Comment 14 Tomas Stupka 2016-11-02 13:50:00 UTC
the embedded maven is now 3.3.9
Comment 15 Zoltan Levardy 2016-12-16 14:15:53 UTC
just downloaded 8.2 for Mac. And it is still shown 3.0.5 as bundled maven. How can I get a more recent?

Comment 16 Zoltan Levardy 2016-12-16 14:16:52 UTC
just downloaded 8.2 for Mac. And it is still shown 3.0.5 as bundled maven. How can I get a more recent?

Comment 17 javydreamercsw 2017-01-26 18:20:24 UTC
Still seeing 3.0.5 bundled with 8.2.
Comment 18 Tomas Stupka 2017-01-27 09:55:57 UTC
(In reply to javydreamercsw from comment #17)
> Still seeing 3.0.5 bundled with 8.2.
this was fixed in trunk, not in 8.2
Comment 19 everflux 2017-01-27 09:59:12 UTC
Just as a remark: If there is a new maven version compatible with Java 9 we should prepare to make another update for NetNeans 9.
Comment 20 davidswe 2017-02-18 21:06:40 UTC
Has anyone anyone a solution for this.  I just downloaded 8.2.  It says there a fix in trunk.  It is really a problem.  I am unable to use netbeans for deploying to Google App Engine.
Comment 21 everheul 2017-08-28 20:11:20 UTC
I am unable to compile Jenkins. Detected Maven Version: 3.0.5 is not in the allowed range 3.1.0.