NEXUS-30879 - Update various dependencies to latest versions

[mpiggott]

No description provided.

[nblair]

Per #91 I don't think we can make this change directly here, as it will fail without making the updates to the XStream instance. Since that's declared elsewhere, let's skip this one for now and accept the others.

[nblair]

In 5203377 I updated the NXRM 2 dependency, which includes the changes to the XStream instance. I think we can keep this upgrade in place.

[cstamas]

This PR breaks the plugin sadly. Declaring maven-core provided is nice, but did you consider the consequences?

[nblair]

@cstamas thanks for chiming in - I'm unaware of the consequences. I recall seeing a warning in the build about the maven dependencies being declared as compile dependencies, along with the recommendation to switch the scope to provided. Any tips would be appreciated.

[cstamas]

Simplest but ugliest fix: put back maven-core (and other maven deps) into compile scope and live with warning at build time.

Proper fix: enlist all the maven dependencies you use/require in POM (this is the best practice anyway), and do not rely that "core will give you them transitively" (is not when provided!). But there is a twist: given original SecDispatcher went dead (https://github.com/sonatype/plexus-sec-dispatcher and https://github.com/sonatype/plexus-cipher), it was "adopted" and updated by Plexus GH org (https://github.com/codehaus-plexus/plexus-sec-dispatcher and https://github.com/codehaus-plexus/plexus-cipher) and hence, it's GAV changed among Maven dependencies (between 3.8.2 and 3.8.3). Best solution would be if you declare direct dependency on org.codehaus.plexus:plexus-sec-dispatcher:2.0.

Relevant change present in Maven 3.8.3 (and 3.8.4): apache/maven@c76c9d9
OTOH: 3.8.1 and 3.8.2 suffered from related problem: https://issues.apache.org/jira/browse/MNG-7219

Finally, please up the maven version you compile against, 3.0.4 was EONS ago (exactly 10 years ago). ASF Maven project itself ups maven dep on plugins to 3.2.5+. Make it at least Maven 3.1.x.

---

Also, please take this above with a grain of salt, as best would be to test plugin with Maven versions intended to be used with.

---

Errors reported by users to us (w/ Maven 3.8.4):
1.6.9 does not even start

[WARNING] ClassRealm[plugin>org.sonatype.plugins:nexus-m2settings-maven-plugin:1.6.9, parent: jdk.internal.loader.ClassLoaders$AppClassLoader@277050dc]
com.google.inject.CreationException: Unable to create injector, see the following errors:

1) No implementation for com.fasterxml.jackson.databind.ObjectMapper annotated with interface org.eclipse.sisu.inject.TypeArguments$Implicit was bound.
  Did you mean?
    com.fasterxml.jackson.databind.ObjectMapper annotated with @com.google.inject.name.Named(value="org.sonatype.sisu.siesta.jackson.ObjectMapperProvider") bound  at ClassRealm[plugin>org.sonatype.plugins:nexus-m2settings-maven-plugin:1.6.9, parent: jdk.internal.loader.ClassLoaders$AppClassLoader@277050dc] (via modules: org.eclipse.sisu.wire.WireModule -> org.eclipse.sisu.plexus.PlexusBindingModule)

    com.fasterxml.jackson.databind.ObjectMapper bound  at org.eclipse.sisu.wire.LocatorWiring

  at org.eclipse.sisu.wire.LocatorWiring

1 error

1.6.10: after connecting

[ERROR] Failed to execute goal org.sonatype.plugins:nexus-m2settings-maven-plugin:1.6.10:download (default-cli) on project standalone-pom: Connection failed: XPP3 pull parser library not present. Specify another driver. For example: new XStream(new DomDriver()): org.xmlpull.mxp1.MXParser -> [Help 1]

1.6.11 after connecting

[WARNING] Error injecting: org.sonatype.nexus.maven.m2settings.template.MasterPasswordEncryptionImpl
java.lang.NoClassDefFoundError: org/sonatype/plexus/components/sec/dispatcher/SecDispatcher
    at java.lang.Class.getDeclaredConstructors0 (Native Method)
    at java.lang.Class.privateGetDeclaredConstructors (Class.java:3137)
...
Caused by: java.lang.ClassNotFoundException: org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass (SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass (ClassRealm.java:271)
..
[WARNING] Error injecting: org.sonatype.nexus.maven.m2settings.template.UserTokenCustomizer
java.lang.NoClassDefFoundError: org/sonatype/plexus/components/sec/dispatcher/SecDispatcher
    at java.lang.Class.getDeclaredConstructors0 (Native Method)
    at java.lang.Class.privateGetDeclaredConstructors (Class.java:3137)
...
Caused by: java.lang.ClassNotFoundException: org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
    at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass (SelfFirstStrategy.java:50)
    at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass (ClassRealm.java:271)
...

[nblair]

Thanks for the tips @cstamas I'll track this down. My thinking is to first try to revert the provided scope changes to make a 1.6.x patch release, then look towards the larger changes for a 1.7.x, wdyt?

[nblair]

Looks like maven-core is pulled in via maven-compat, which is a compile requirement for at a minimum https://github.com/sonatype/nexus-maven-plugins/blob/main/staging/maven-plugin/src/main/java/org/sonatype/nexus/maven/staging/deploy/strategy/DirectDeployStrategy.java#L18.

I pushed up a branch (https://github.com/sonatype/nexus-maven-plugins/tree/maven-scope) with that workaround; builds and tests locally, but there is definitely a lack of e2e tests that would help clarify if it fully addresses the issues.

[famod]

Because of this I seem to be running into https://issues.sonatype.org/browse/NEXUS-23594

[INFO] Uploaded to ossrh: https://s01.oss.sonatype.org:443/service/local/staging/deployByRepositoryId/iogithubgitflow-incremental-builder-1000/io/github/gitflow-incremental-builder/gitflow-incremental-builder/4.0.0/gitflow-incremental-builder-4.0.0-sources.jar.asc (499 B at 2.0 kB/s)
[INFO] [INFO]  * Upload of locally staged artifacts finished.
[INFO] [INFO]  * Closing staging repository with ID "iogithubgitflow-incremental-builder-1000".
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [INFO] BUILD FAILURE
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [INFO] Total time:  01:54 min
[INFO] [INFO] Finished at: 2022-02-21T00:43:24+01:00
[INFO] [INFO] ------------------------------------------------------------------------
[INFO] [ERROR] Failed to execute goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy (injected-nexus-deploy) on project gitflow-incremental-builder: Execution injected-nexus-deploy of goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy failed: An API incompatibility was encountered while executing org.sonatype.plugins:nexus-staging-maven-plugin:1.6.11:deploy: java.lang.IllegalAccessError: class com.sonatype.nexus.staging.client.internal.StagingWorkflowV3ServiceImpl tried to access method 'void com.google.common.base.Stopwatch.<init>()' (com.sonatype.nexus.staging.client.internal.StagingWorkflowV3ServiceImpl and com.google.common.base.Stopwatch are in unnamed module of loader org.codehaus.plexus.classworlds.realm.ClassRealm @64030b91)
[INFO] [ERROR] -----------------------------------------------------

[nblair]

@famod please try release 1.6.12, I believe the issue is addressed in that release.