Update Maven to 3.8.6, maven-wrapper to 3.1.1 and maven-invoker to 3.2.0

[famod]

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12351556

[MNG-7432] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader

is the one that caused Quarkus to not update to 3.8.5.

PS: Bumping wrapper and invoker is not mandatory, but I saw those were outdated and just updated them as well.

[famod]

See apache/maven-invoker@ca84e5c#diff-7a2ee223cf0ee38d98ed325df11438abe1b5134ce5d7430933461efc0ff5963cL725
I think this change should be ok given the way Quarkus is using this method.

[aloubyansky]

This is a breaking API change though, isn't it? Does this code work with Maven 3.8.6 w/o this change?

[famod]

This is a change in maven-invoker, not in actual Maven, so I don't think Maven < 3.8.6 will have a problem with this.

Should I break this up into three PRs?

[aloubyansky]

Should be OK then, given that it's managed in the quarkus-bom.

[famod]

Good candidate for 2.10.0 AFAICS, but too bad it comes too late for CR1.

[aloubyansky]

Thanks @famod

[famod]

@gsmet any objections?

[famod]

I'll go ahead and merge this.

[rsvoboda]

I think this PR should have noteworthy (or breaking change ) label. And probably migration guide entry.

maven-wagon was updated to 3.5.1 and no longer pulls in jsoup dependency.

We have seen two kinds of troubles

A) failures with consul extension - quarkiverse/quarkus-config-extensions#70

B) usage of jsoup in tests, jsoup was transitive dependency of io.quarkus:quarkus-junit5 and people probably didn't define jsoup explicitly in their projects

[gsmet]

Hmmm, let's not backport it then.

[aloubyansky]

Thanks for noticing @rsvoboda We'll need to check whether we still want to manage jsoup in the quarkus-bom.

[gsmet]

I think we shouldn't. JSoup sometimes have CVE so I would rather avoid it if we don't have a dependency on it.

[famod]

So the idea is to:

• remove jsoup from independent-projects/bootstrap/**
• add it to build-parent (just managed)
• revisit and probably remove the exclusion from docs

❓

[gsmet]

If we are not depending on it, yes. Now I'm a bit unclear if we are still dragging it in some cases?

[aloubyansky]

The extension processor uses it. I would say yes to your plan @famod. Were you planning to take care of that?

[rsvoboda]

I created #26141 for jsoup in the morning, these discussions should be probably moved there

[rsvoboda]

about add it to build-parent (just managed) .. there was #21406 for move from build-parent to bootstrap-bom in November last year ;)

[aloubyansky]

True, the bootstrap doesn't use it any more though.