We are using the maven-dependency-plugin to get a ZIP from our nexus for later use. We do this cause it's the easiest way to download from our protected nexus using the integrated maven-user handling.
When using the maven-dependency-plugin it downloads Struts 1.3.8 as Dependency.
In older versions of the plugin this is normal, as it is a transitive dependency of the plugin: https://maven.apache.org/plugins-archives/maven-dependency-plugin-3.1.2/dependencies.html
In the current version it has been removed: https://maven.apache.org/plugins-archives/maven-dependency-plugin-3.2.0/dependencies.html This was accomplished by an update from org.apache.maven.doxia:doxia-site-renderer:jar:1.9 to org.apache.maven.doxia:doxia-site-renderer:jar:1.9.2 (1.9.2 excludes the struts dependency)
Still the usage of the plugin downloads struts and I can't figure out why.
I tried with the latest Maven (3.8.3) and narrowed it down to a simple command:
mvn org.apache.maven.plugins:maven-dependency-plugin:3.2.0:get -DgroupId=commons-lang -DartifactId=commons-lang -Dversion=2.6 -Dmaven.repo.local=repo
That downloads an old commons-lang dependency using "repo" as repository folder. If you check the download logs or the folder it will contain "org/apache/struts/....".
I also tested with an simple pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.test</groupId>
<artifactId>test-dep-plugin</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>pom</packaging>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.2.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.9.1</version>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>get</id>
<phase>validate</phase>
<goals>
<goal>get</goal>
</goals>
<configuration>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
<transitive>false</transitive>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
You can try "mvn clean verify" to run this. That results in the same problem. I updated the "site" plugin because it also had an struts dependency in the older version.
I also tried to check the plugin-dependencies by using: mvn dependency:resolve-plugins
That doesn't give me any struts dependencies. Still some part of maven seems to need them. They are gone, if I remove the maven-dependency-plugin.
How can I get rid of all the (outdated and unneeded) struts-dependencies?
An update to maven-dependency-plugin 3.3.0 seems to fix the issue.
When executing
mvn org.apache.maven.plugins:maven-dependency-plugin:3.3.0:get -DgroupId=commons-lang -DartifactId=commons-lang -Dversion=2.6 -Dmaven.repo.local=repo I don't get a struts dependencies in the repo folder.