Why is Ehcache using the old version of jaxb-runtime?

Question

Why is Ehcache using the old version of jaxb-runtime?

micobarac opened this issue 4 months ago · comments

Using Maven v. 3.9.6 to create Docker image of project with Ehcache v. 3.10.8:

<dependency>
    <groupId>org.ehcache</groupId>
    <artifactId>ehcache</artifactId>
    <classifier>jakarta</classifier>
</dependency>

mvn dependency:go-offline

I get this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline (default-cli) on project openprovider-admin: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at org.ehcache:ehcache:jar:jakarta:3.10.8 -> org.glassfish.jaxb:jaxb-runtime:jar:2.3.0-b170127.1453 -> org.glassfish.jaxb:jaxb-core:jar:2.3.0-b170127.1453 -> javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: Failed to read artifact descriptor for javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: The following artifacts could not be resolved: javax.xml.bind:jaxb-api:pom:2.3.0-b161121.1438 (absent): Could not transfer artifact javax.xml.bind:jaxb-api:pom:2.3.0-b161121.1438 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [releases.java.net (http://maven.java.net/content/repositories/releases/, default, releases+snapshots), shapshots.java.net (http://maven.java.net/content/repositories/snapshots/, default, releases+snapshots), jvnet-nexus-staging (http://maven.java.net/content/repositories/staging/, default, releases+snapshots), netbeans (http://bits.netbeans.org/nexus/content/groups/netbeans, default, releases)]

I tried excluding jaxb dependencies for Ehcache and adding explicit version of JAXB, but, for some reason, the old version gets pulled again.

Pagalba.com commented 3 months ago

+1

Milan Barać · Answer 1 · Tue Feb 27 2024 15:32:06 GMT+0800 (China Standard Time)

Milan Barać commented 4 months ago

Milan Barać · Answer 2 · Tue Feb 27 2024 17:46:50 GMT+0800 (China Standard Time)

Running:

mvn dependency:tree

show this result (partial output):

[INFO] +- org.ehcache:ehcache:jar:jakarta:3.10.8:compile
[INFO] |  \- org.glassfish.jaxb:jaxb-runtime:jar:4.0.4:runtime
[INFO] |     \- org.glassfish.jaxb:jaxb-core:jar:4.0.4:runtime
[INFO] |        +- org.glassfish.jaxb:txw2:jar:4.0.4:runtime
[INFO] |        \- com.sun.istack:istack-commons-runtime:jar:4.1.2:runtime

So, the BIG question is:

where is the org.glassfish.jaxb:jaxb-runtime:jar:2.3.0-b170127.1453 coming from???

The example from the official docs is not working:

<dependency>
  <groupId>org.ehcache</groupId>
  <artifactId>ehcache</artifactId>
  <version>3.10.0</version>
  <classifier>jakarta</classifier>

  <exclusions>
    <exclusion>
      <groupId>org.glassfish.jaxb</groupId>
      <artifactId>jaxb-runtime</artifactId>
    </exclusion>
  </exclusions>
</dependency>
<dependency>
  <groupId>org.glassfish.jaxb</groupId>
  <artifactId>jaxb-runtime</artifactId>
  <version>[3,3.1)</version>
</dependency>

Btw, executing:

mvn dependency:go-offline

with Ehcache version 3.9.11 works just fine.

Chris Dennis · Answer 3 · Wed Apr 03 2024 21:04:00 GMT+0800 (China Standard Time)

I think you are seeing a combination/collision of three things here:

https://issues.apache.org/jira/browse/MDEP-844
The Maven behavior of blocking access to http repository.
The way repositories in dependency pops get included in to the transitive resolution process.

Unless the Maven team decide to fix MDEP-844 I think you only path to getting go-offline to work will be to allow fetches from the currently blocked http URLs.

Seth Grannan · Answer 4 · Tue May 07 2024 20:46:18 GMT+0800 (China Standard Time)

This is only a problem with the 3.10 line of releases. Will you continue to support any releases without the JAXB dependency?

Is there a reason why you closed this issue because its still a valid question / problem that you've referenced the wrong library is it not (see #3217 regarding legacy use of http instead of https) ? Is this project still supported even without a release in over 1 year?

Chris Dennis · Answer 5 · Tue May 07 2024 21:57:34 GMT+0800 (China Standard Time)

Ehcache 3.10 provides two variants: the main variant which depends on Java packaged JAXB and a jakarta variant which depends on the new Jakarta packaged JAXB library. We continue to support and maintain both versions, although it has been a while since a public facing release has been cut.

The issue is closed because there is no issue here. Both environments (Javax and Jakarta) are supported. The issue regarding http versus https is unrelated and a somewhat natural result of Ehcache declaring both JAXB dependencies as a range to allow users flexibility in deployment, combined with the way Maven resolves dependencies.

Yes, Ehcache is still supported, and yes it's been a while since there has been a public facing release. This is something I would like to rectify but time and resources are spread thin and other work sometimes takes priority.