Running maven at 3.9.8 using the following command which applies maven-dependency-plugin:

mvn -X -U -e clean compile package --settings $MAVEN_SETTINGS_XML dependency:copy-dependencies -DincludeScope=runtime -DexcludeScope=provided

Consolidating dependencies by calling copy-dependencies is required for a vulnerability scan; therefore it is preferable to use maven-dependency-plugin for this task. By default, maven at 3.9.8 includes maven-dependency-plugin at 3.7.0.

The maven-dependency-plugin at 3.7.0 has jdom.jar at 1.1 as a great-great-grandparent dependency through parent dependency maven-reporting-impl at 3.2.0 jdom.jar at 1.1 was quarantined in our nexus by vulnerability software and can no longer be retrieved to complete the build relying on dependency plugin; all these builds are failing.

I can force maven-dependency-plugin to 3.7.1 via the following change, but it still references maven-reporing-impl at 3.2.0:

mvn -X -U -e clean compile package --settings $MAVEN_SETTINGS_XML org.apache.maven.plugins:maven-dependency-plugin:3.7.1:copy-dependencies -DincludeScope=runtime -DexcludeScope=provided

Version 4.0.0-M15 of maven-reporting-impl does not use jdom as a dependency, however I am unable the version of maven-reporting-impl on the command line. Official documents suggest adding -DpluginManagement= as below, but this does not work; it still is included at 3.2.0.

mvn -X -U -e clean compile package --settings $MAVEN_SETTINGS_XML org.apache.maven.plugins:maven-dependency-plugin:3.7.1:copy-dependencies
-DpluginManagement=org.apache.maven.reporting:maven-reporting-impl:4.0.0-M15
-DincludeScope=runtime -DexcludeScope=provided

I have moved the position of -DpluginManagement= to various positions, but all fail to access the 4.0.0-M15 version.

Can I override maven-reporting-impl version so when dependency is called it uses the 4.0.0-M15 version, preferably from the command line? What is the proper syntax to use?