The first Maven release has happened for the first time in quite a while. The previous version was 3.6.3 and the newest release is 3.8.1. This release fixed two CVEs: CVE-2021-26291 and CVE-2020-13956.
The most important change is that HTTP repositories are now blocked. Every repo will now need to use HTTPS. This is to prevent MITM attacks. The options are to stick with this old version of Maven or upgrade to HTTPS.
They also included an explanation why the version went from 3.6.3 to 3.8.1.
Why not 3.6.4?
This is not just a bugfix as it contains three features that cause a change of default behavior (external HTTP insecure URLs are now blocked by default): your builds may fail when using this new Maven release, if you use now blocked repositories. Please check and eventually fix before upgrading.Why not 3.7.0?
Apache Maven 3.7.0 has been advertised in the past that it would be the first release where you could optionally activate the build/consumer feature: the version containing this feature has been renamed to 4.0.0. Reusing 3.7.0 might lead to confusion, hence we picked the next available minor version.Why not 3.8.0?
With every release there’s a 72h+ voting period. During the vote of 3.8.0 a bug was discovered, one that was important enough to cancel the vote. With Maven we burn versions, to ensure we’re always talking about the same “version”. This way there will be never confusion about which Maven 3.8.0 one was using.
A list of bug fixes:
[MNG-7128] - improve error message when blocked repository defined in build POM
[MNG-7116] - Add support for mirror selector on external:http:*
[MNG-7117] - Add support for blocking mirrors
[MNG-7118] - Block external HTTP repositories by default
[MNG-7119] - Upgrade Maven Wagon to 3.4.3
[MNG-7123] - Upgrade Maven Resolver to 1.6.2
