src/main/resources/META-INF/plexus/components.xml default lifecycle bindings use very old plugin versions

[sratz]

The default lifecycle bindings
https://github.com/eclipse-tycho/tycho/blob/7f55e0b96415a33482bd14341fc192f0a21e26e1/tycho-maven-plugin/src/main/resources/META-INF/plexus/components.xml
use quite old versions of maven plugins, defined in the super pom:

tycho/pom.xml

Lines 75 to 78 in 7f55e0b

	<resources-plugin.version>2.4.3</resources-plugin.version>
	<install-plugin.version>2.3.1</install-plugin.version>
	<deploy-plugin.version>2.5</deploy-plugin.version>
	<clean-plugin.version>2.4.1</clean-plugin.version>

This, for example causes warnings such as

[INFO] ---------------------------[ eclipse-plugin ]---------------------------
[WARNING] *****************************************************************
[WARNING] * Your build is requesting parallel execution, but this         *
[WARNING] * project contains the following plugin(s) that have goals not  *
[WARNING] * marked as thread-safe to support parallel execution.          *
[WARNING] * While this /may/ work fine, please look for plugin updates    *
[WARNING] * and/or request plugins be made thread-safe.                   *
[WARNING] * If reporting an issue, report it against the plugin in        *
[WARNING] * question, not against Apache Maven.                           *
[WARNING] *****************************************************************
[WARNING] The following plugins are not marked as thread-safe in com.foo.bar:
[WARNING]   org.apache.maven.plugins:maven-deploy-plugin:2.5
[WARNING]
[WARNING] Enable debug to see precisely which goals are not marked as thread-safe.
[WARNING] *****************************************************************

Should these be updated to the latest versions?

Is there a way to have this done automatically (or via dependabot)?

[laeubi]

In general it is good practice to not rely on the default lifecycle bindings versions but define the one you want in your main pom file.

Nerveless I don't see a reason to not upgrade to the latest version.

[sratz]

Typically, I don't want to influence the bindings that Tycho choses, if I don't want to change the configuration of those plugins.

However

     <pluginManagement>
       <plugins>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-deploy-plugin</artifactId>
           <version>3.1.1</version>
         </plugin>
       </plugins>
     </pluginManagement>

in the super pom appears to be enough to force a newer version (without influencing the bindings).

[fbladilo]

@laeubi These should upgraded to their latest versions , no need to carry old/ancient versions of maven plugins

[laeubi]

@laeubi These should upgraded to their latest versions , no need to carry old/ancient versions of maven plugins

Feel free to provide a PR to update the versions, but these should not be the latest but actually match the one fro maven (currently 3.9.3).