How can I replace a specific plugin in the /plugins folder of product?

[Qichar]

Hello,

I am using your excellent Java language server, and I want to be able to build it from source. My objective is to revolve a set of vulnerabilities by building dependencies from this repo from source:
https://github.com/eclipse-m2e/m2e-core

In particular, org.eclipse.m2e.maven.runtime, because it contains some security vulnerabilities I want to resolve.

I am able to build eclipse.jdt.ls from source, and I notice the product is produced and it contains a repository with plugins:
{project directory}/eclipse.jdt.ls/org.eclipse.jdt.ls.product/target/repository/plugins/

I am not 100% sure, but I think the org.eclipse.m2e.maven.runtime is downloaded because it is part of this file:
org.eclipse.jdt.ls.tp.target

And it's getting it from this location:

I checked, and it contains the same version I see in the plugins folder, namely:
"org.eclipse.m2e.maven.runtime_3.9.100.20230519-1558.jar"

Here are my questions:

1. Even when I change this location, I am still getting the same version of org.eclipse.m2e.maven.runtime during build. Is there a way to force Tycho to re-download? Example:

2. Can I use the Maven local repository as a new source for the org.eclipse.m2e.maven.runtime plugin, and if so, how do I do this? (What do I have to change in the eclipse.jdt.ls source repo?). My objective should be clear: I want to use the new version of org.eclipse.m2e.maven.runtime that I have built from source without having to publish it to a public p2 repository, and without having to set up a local p2 repository inside my company's Artifactory and publishing to it.

Thank you so much for your help!

[Qichar]

Tycho documentations suggests that my question #2 should be possible:
https://wiki.eclipse.org/Tycho/Target_Platform#.22POM_dependencies_consider.22

Locally built artifacts
Just like in a normal Maven build, a Tycho build can use artifacts that have been built locally and installed (e.g. with mvn clean install) into the local Maven repository. In terms of the target platform, this means that these artifacts are implicitly added to the target platform. This is for example useful if you want to rebuild a part of a Tycho reactor, or if you want to build against a locally built, newer version of an upstream project.

There are the following options to disable this feature:

Setting the CLI option -Dtycho.localArtifacts=ignore excludes locally built artifacts in one build. (tycho.localArtifacts=ignore may also be configured in the settings.xml; in this case, the default behaviour can be temporarily re-enabled with the CLI option -Dtycho.localArtifacts=default. Since Tycho 0.16.0.)
Deleting ~/.m2/repository/.meta/p2-local-metadata.properties resets Tycho's list of locally build artifacts, and therefore these artifacts will not be added to target platforms (unless, of course, the artifacts are installed again).

However, after trying a number of different things I wasn't figure out how to get this to work. Do you have a suggestion?
Thanks again!

[snjeza]

@Qichar You can try to use https://download.eclipse.org/technology/m2e/snapshots/latest/
A patch

diff --git a/org.eclipse.jdt.ls.logback.appender/src/org/eclipse/jdt/ls/logback/appender/JavaLsConfigurator.java b/org.eclipse.jdt.ls.logback.appender/src/org/eclipse/jdt/ls/logback/appender/JavaLsConfigurator.java
index 1f1b05cc..2def9c8a 100644
--- a/org.eclipse.jdt.ls.logback.appender/src/org/eclipse/jdt/ls/logback/appender/JavaLsConfigurator.java
+++ b/org.eclipse.jdt.ls.logback.appender/src/org/eclipse/jdt/ls/logback/appender/JavaLsConfigurator.java
@@ -30,7 +30,7 @@ public class JavaLsConfigurator extends ContextAwareBase implements Configurator
 	}
 
 	@Override
-	public void configure(LoggerContext lc) {
+	public ExecutionStatus configure(LoggerContext lc) {
 		addInfo("Setting up default configuration.");
 		boolean isDebug = Boolean.getBoolean("jdt.ls.debug");
 		if (isDebug) {
@@ -55,5 +55,6 @@ public class JavaLsConfigurator extends ContextAwareBase implements Configurator
 			defMavenFilter.setLevel(Level.INFO);
 			defMavenFilter.setAdditive(false);
 		}
+		return ExecutionStatus.INVOKE_NEXT_IF_ANY;
 	}
 }
diff --git a/org.eclipse.jdt.ls.target/org.eclipse.jdt.ls.tp.target b/org.eclipse.jdt.ls.target/org.eclipse.jdt.ls.tp.target
index 4a649944..acd2fd6a 100644
--- a/org.eclipse.jdt.ls.target/org.eclipse.jdt.ls.tp.target
+++ b/org.eclipse.jdt.ls.target/org.eclipse.jdt.ls.tp.target
@@ -18,7 +18,7 @@
             <unit id="org.eclipse.m2e.maven.runtime" version="0.0.0"/>
             <unit id="org.eclipse.m2e.workspace.cli" version="0.0.0"/>
             <unit id="ch.qos.logback.classic" version="0.0.0"/>
-	        <repository location="https://download.eclipse.org/technology/m2e/releases/2.3.0/"/>
+	        <repository location="https://download.eclipse.org/technology/m2e/snapshots/latest/"/>
         </location>
         <location includeAllPlatforms="false" includeConfigurePhase="false" includeMode="planner" includeSource="true" type="InstallableUnit">
             <unit id="org.eclipse.equinox.core.feature.feature.group" version="0.0.0"/>

My objective is to revolve a set of vulnerabilities by building dependencies from this repo from source:

Could you, please, let us know what vulnerabilities you want to resolve?