Release Notes – Maven 3.6.3

The Apache Maven team would like to announce the release of Maven 3.6.3.

Maven 3.6.3 is available for download.

Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting, and documentation from a central place.

The core release is independent of plugin releases. Further releases of plugins will be made separately. See the PluginList for more information.

If you have any questions, please consult:

Reporters and Contributors of this release

We really value the contributions of these non committers, so this section is focused on those individuals. Descriptions of the issues fixed can be found at the end of these release notes.

Issue Reporters of this release: Jonathan Chen, Charles Oliver Nutter, Lucas Ludueño, Stig Rohde Døssing, Vladimir Sitnikov

Contributors of this release: Stuart McCulloch, Mickael Istria, Peter Lynch, Christian Wansart, Dezhi Cai, Anatoly Zaretsky, Stig Rohde Døssing

Many thanks to all reporters and contributors for their time and support.

(Please send an email to the dev list if we missed anyone).

Overview about the changes

  • This is a regression release to fix some critical issues shipped with 3.6.2.

  • Some license issues on binary distribution have been fixed.

  • This Maven distribution is now Reproducible: if you download Maven source archive ( or .tar.gz), build it on Windows with JDK 8 using following command:

mvn -DbuildNumber=cecedd343002696d0abb50b32b541b8a6ba2883f package

you'll get bit-by-bit identical output ( and .tar.gz in apache-maven/target/) that you can check with sha512 fingerprints against official release.
If you're building on any Unix system, you'll need to add “-Dline.separator=$'\r\n'”.
See the Maven - Guide to Configuring for Reproducible Builds for more details.

The detailed issue list


[MNG-6779] - fix jcl-over-slf4j license: Apache 2.0 instead of MIT


[MNG-6584] - Maven version 3.6.0 does not show ReasonPhrase anymore
[MNG-6759] - [REGRESSION] Maven fails to use <repositories> section from dependency when resolving transitive dependencies in some cases
[MNG-6760] - [REGRESSION] ExclusionArtifactFilter result invalid when wildcard exclusion is followed by other exclusions
[MNG-6765] - [REGRESSION] tycho pom-less builds fails with 3.6.2
[MNG-6771] - Fix license issues on binary distribution


[MNG-6778] - Use https for schemaLocations
[MNG-6799] - avoid model interpolation instability risk: ensure StringVisitorModelInterpolator replaces StringSearchModelInterpolator


[MNG-6777] - Remove duplicate resolveFile methods
[MNG-6789] - Make Maven distribution build Reproducible

The full list of changes can be found in our issue management system.

Complete Release Notes

See complete release notes for all versions