I’m trying to resolve a vulnerability (CVE-2021-26291) related to the dependency maven-core version 3.2.5, which is being pulled in by the build plugin maven-compiler-plugin version 3.12.1.

I tried following the official maven guide, by adding the version as follows:

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.12.1</version>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven</groupId>
                        <artifactId>maven-core</artifactId>
                        <version>3.9.8</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <source>${maven.compiler.source}</source>
                    <target>${maven.compiler.target}</target>
                </configuration>
            </plugin>

however I can still see the old version being pulled in by the when I run the mvn dependency:resolve-plugins command:

org.apache.maven.plugins:maven-site-plugin:maven-plugin:3.12.1
[INFO]       org.apache.maven.plugins:maven-site-plugin:jar:3.12.1
[INFO]       org.apache.maven.reporting:maven-reporting-api:jar:3.1.1
[INFO]       org.apache.maven.reporting:maven-reporting-exec:jar:1.6.0
[INFO]       org.apache.maven:maven-artifact:jar:3.2.5 
[INFO]       org.apache.maven:maven-core:jar:3.2.5

I’m not sure why it comes through as maven-site-plugin, though the version matches the one I indicate in the compiler, could it be because it is somehow nested within the compiler dependency? I do not make any direct reference to the maven-site-plugin in my pom.

Any help is very much appreciated as to why it behaves like this or if I’m doing something wrong. Thanks!