Maven plugin version not specified

Question

I have just noticed that plugin\'s version is optional in maven. I can still build my module without specifying it. Let\'s take an example with maven-bundle-plugin.

Answer 1

There are few steps maven follows to resolve the plugin version. It is documented as in Resolving Plugin Versions section of http://maven.apache.org/guides/introduction/introduction-to-plugin-registry.html

The documentation seems to have been moved, since 7yrs of this post. It is available at Maven 3.x Compatibility Notes as @ceilfors mentioned in his answer.

Answer 2

From Maven 3.x Compatibility Notes:

Automatic Plugin Version Resolution

When a plugin was invoked without an explicit version given in the POM or on the command line, Maven 2.x used to pick the latest version available where the latest version could either be a release or a snapshot. For the sake of stability, Maven 3.x prefers the latest release version over the latest snapshot version.

Given the threat of non-reproducible builds imposed by automatic plugin version resolution, this feature is scheduled for removal as far as plugin declarations in the POM are concerned. Users of Maven 3.x will find it output a warning when missing plugin versions are detected to encourage the addition of plugin versions to the POM or one of its parent POMs. The Enforcer rule requirePluginVersions can be used additionally check for missing plugin versions in the POM.

Answer 3

If you check the maven-metadata.xml file that is in your remote repository (e.g. Nexus) alongside the plugin artifact, you'll see something like this:

<metadata>
    <groupId>com.company.maven.plugins</groupId>
    <artifactId>some-maven-plugin</artifactId>
    <versioning>
      <latest>0.3.6</latest>
      <release>0.3.6</release>
      <versions>
        <version>0.1</version>
        <version>0.2</version>
        <version>0.3.0</version>
        <version>0.3.1</version>
        <version>0.3.2</version>
        <version>0.3.4</version>
        <version>0.3.5</version>
        <version>0.3.6</version>
      </versions>
      <lastUpdated>20140414212942</lastUpdated>
    </versioning>
  </metadata>

I think Maven may use the <latest> value to decide which plugin to download if the version is not specified.

Maven 3.0.x gives warnings for missing plugin versions and says "future versions of Maven may refuse to build malformed POMs like these" or something like that. You should always specify the plugin versions so your build is reproducible. Otherwise you can end up with some really hard to find bugs.