dependency:collect downloads JARs contrary to documentation #531
Description
Affected version
apache-maven-3.8.8
Bug description
What is the issue?
The dependency:collect goal downloads JAR files even though the official documentation states it should only download POM files, not the actual artifacts (JARs). Goal that collects the project dependencies from the repository. This goal requires Maven 3.0 or higher to function because it uses "requiresDependencyCollection". This means that it lists the groupId:artifactId:version information by downloading the pom files without downloading the actual artifacts such as jar files.
This is problematic for use cases where only metadata (GAV coordinates) is required — for example, comparing the dependency graph with a compliance registry — and not the full artifact downloads.
How to reproduce?
Steps to reproduce the issue:
- Create any simple Maven project with pom file & run following commands
mvn dependency:collect -Dmaven.repo.local=./collect-goal-dependencies-list
mvn dependency:resolve -Dmaven.repo.local=./resolve-goal-dependencies-list
- Inspect the contents of both directories.
What did you expect?
dependency:collect should download only .pom files, not .jar files. However we observed Jar files are being downloaded for both goals. This contradicts the documentation and leads to increased build time and storage usage when used for dependency analysis only.
Suggested Actions
- Please confirm whether this is a bug or a change in behavior not yet reflected in the docs.
- If intentional, update documentation to state that JARs are downloaded.
- If unintentional, please consider fixing it or offering a flag (e.g.,
-DskipArtifactDownload=true) to make collect truly metadata-only.
Happy to provide a reproduction project if needed. Thank you for your time and all your work maintaining this plugin!
Additional Information: I am working on a use case where I intend to use Maven Plugin goal to to know what are direct and indirect dependencies being used by a maven project. The list of dependencies using collect goal needs to be compared with a predefined list of stale/vulnerable/non-compliant dependencies. The idea is to ascertain if a give POM project is compliant or non complaint. I evaluated collect & resolve goals. Since both goals downloading the dependencies, not sure which goal should be picked up to correctly establish the jar files being used by a project. This research lead to identification of above issue & need your expertise to ascertain which goal fits best to my use case given above issue.