Relax plugin prerequisites to minimum required version

[mattnelson]

Starting with 2.8.0 the plugin prerequisite was bumped from 3.2.5 to 3.9.5[1]. From looking at the various PRs that applied those updates(#220 and #206) there doesn't appear to be any compilation updates requiring 3.9.5. But now with that update this plugin no longer works on any previous maven versions since the prerequisite element[2] is enforced by maven[3] for plugins.

Failed to execute goal org.gaul:modernizer-maven-plugin:2.8.0:modernizer (default) on project <>: The plugin org.gaul:modernizer-maven-plugin:2.8.0 requires Maven version 3.9.5

Can the prerequisite be reverted to the minimum version needed? Or even a few versions back but maybe not all the way to 3.2, maybe 3.8[4]? Preferably whatever is decided would be a major/minor version and not a patch version.

[1] modernizer-maven-plugin-2.7.0...modernizer-maven-plugin-2.8.0#diff-6ce0d1d232829895a06b9b19f7f57d6bdcf2c2b9661fe93c071a56403ed18385R24
[2] https://maven.apache.org/guides/development/guide-plugin-documentation.html#optional-elements
[3] https://maven.apache.org/ref/3.9.5/maven-model/maven.html#class_prerequisites
[4] https://maven.apache.org/docs/history.html

[gaul]

I'm not sure why @depandabot updated this to 3.8.1 and now 3.9.5. I'll revert it and run a 3.8.1 release.

[gaul]

Versions earlier than 3.8.1 have a security vulnerability that I guess requiring newer maven works around?

[gaul]

See #242. CC @cstamas.

[cstamas]

If you depend on newer, vuln will go away (like now). Basically the problem was "wrong pattern", where maven-version property was used for both: prerequisite but also version of the maven deps

[hazendaz]

Yes please fix this, maven supports 3.6.3 or better. They are promoting all plugins get upgraded to 3.6.3. Just split your property you are using here. The min maven version should not be shared as noted already. Dependabot/renovate/others will not open issues in that case. You run off the 3.9.6 api, your min is 3.6.3. This 'mavenVersion' should be split to two properties or just hard code the min version required and use the property in the properties section instead.

In, set usage as the example:

https://github.com/gaul/modernizer-maven-plugin/blob/master/modernizer-maven-plugin/pom.xml

Example:

    <prerequisites>
        <maven>3.6.3</maven>
    </prerequisites>

<properties>
        <mavenVersion>3.9.6</mavenVersion>
</properties>

[hazendaz]

See https://maven.apache.org/docs/history.html#maven-3-6-x-and-before for 3.6.3 being pushed now.

[hazendaz]

I'll raise a PR for this in a few minutes.

[hazendaz]

nevermind, didn't see it linked to this ticket as fixed already. Now just waiting on a release ;)

[hazendaz]

See #242. CC @cstamas.

Silly me, that wasn't clear enough as lot going on there. That commit fixed it in case others were looking for it being fixed.