I am using Maven 3.9.1 on Windows 10. I also use Eclipse EE 2023-03, which contains m2e (Eclipse's support for Maven). I am checking a POM for plugin version updates using the Versions Maven Plugin, but many aren't showing up even though another person sees updates available in Maven Central when checking against the same POM. This is being discussed on Versions Maven Plugin Issue #959, but I'm posting the problem here in hopes that a wider audience can shed some light on why Maven be "stuck" seeing only older versions.
I start with this pom.xml, which uses org.codehaus.mojo:versions-maven-plugin:2.12.0, which in turn (I am told) uses Maven Artifact Resolver. (Note that I've tried the latest org.codehaus.mojo:versions-maven-plugin:2.15.0 as well, with the same results. I'm using this POM because it's available online and does not contain any version ignores to cause confusion; initially I thought that was the problem on Issue #959, but which turned out not to be the case.)
I wanted to see what plugins were out of date, so I ran:
mvn versions:display-plugin-updates
It shows this:
[INFO] The following plugin updates are available:
[INFO] maven-failsafe-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO] maven-release-plugin ............................ 2.5.3 -> 3.0.0-M6
[INFO] maven-site-plugin .............................. 3.12.1 -> 4.0.0-M3
[INFO] maven-surefire-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO] org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.0.5
However in Issue #959, someone else ran the same command and came up with different answers. Here are two examples:
[INFO] org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.1.0
Note that my output is only showing v3.0.5 is available for org.springframework.boot:spring-boot-maven-plugin. Furthermore there are later versions available for some of the other plugins as well.
[INFO] com.akathist.maven.plugins.launch4j:launch4j-maven-plugin 2.1.3 -> 2.4.1
My output doesn't even show com.akathist.maven.plugins.launch4j:launch4j-maven-plugin; apparently it thinks the current v2.1.3 is the latest available!
It would appear that Maven Resolver is somehow "stuck" at some earlier point in time.
I ran Maven with the -X option, and here is part of the output related to com.akathist.maven.plugins.launch4j:launch4j-maven-plugin:
…
[DEBUG] Checking com.akathist.maven.plugins.launch4j:launch4j-maven-plugin for updates newer than 2.1.3
[DEBUG] Could not find metadata com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml in local (C:\Users\user\.m2\repository)
[DEBUG] Skipped remote request for com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml, locally cached metadata up-to-date
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].version=2.1.3
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].artifactVersion=2.1.2
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].effectiveVersion=2.1.3
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].specified=true
…
This debug information seems to be saying that it can't find C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\maven-metadata.xml. And in fact that file does not exist! Instead I have C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\maven-metadata-central.xml. (I don't know what the differences are.)
The more ominous line is this one:
[DEBUG] Skipped remote request for com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml, locally cached metadata up-to-date
What might be causing Maven Resolver on my machine to get "stuck" at an earlier point in time, and/or to skip checking Maven Central altogether for newer versions of many plugins?
(Note that I don't want to just delete my entire C:\Users\user\.m2\repository\ directory tree just yet, or to otherwise "force" Maven Resolver to contact the remote repositories. I would prefer first to understand what is causing the current behavior so that I may investigate why this happened in the first place in order to prevent it happening again in the future.)
This turned out to occur in a certain set of circumstances in which some tool or plugin apparently using Maven Compat would update the state file resolver-status.properties for an artifact in the local repository, but use a central.maven-metadata-central.xml.lastUpdated property instead of (if I'm not mistaken) the lastUpdated property. After this Maven Artifact Resolver would come along and not find the lastUpdated property it was expecting, and instead of saying "I don't know when it was last updated, so let's update it" it says "I don't know when it was last updated, so I'll assume it should never be updated".
When this set of circumstances occurs, that artifact will be forever "locked" at a single version and Versions Maven Plugin will never see any later version because Maven Artifact Resolver will never check again. One workaround is to use -U with Versions Maven Plugin to force an update.
The reason most people could not reproduce this is that they were starting from an empty local repository, or at least one that had never checked Maven Central for the artifact in question before using a different tool/plugin that used a different last-updated property.
This issue was investigated and analyzed further in MRESOLVER-363, but the latest evaluation from the team is that this is not a bug and is functioning as designed.
However an upcoming release of Versions Maven Plugin (see Pull Request #957) will include an override to the default policy to to allow Maven Artifact Resolver to recognize that it should go ahead and check Maven Central for updates even in this situation.