extractDependencies now defaults to true which may surprise plugin devs blindly upgrading used sdk from pre-4.1
This matters in 3 circumstances we might warn about when extracting:
clashing file when resources are not package-scoped (happens)
clashing file(s) in META-INF (e.g. Spring Scanner metadata files, which have fixed paths and names)
LICENSE.TXT - sort of handled on clash by adding a suffix, but when there is only 1 LICENSE.TXT in included JAR it just pollutes your jar AFAIR
unpacking a signed jar (in real life this happened to me only with bcprov I shouldn't have included anyway, but still possible with other jars)
Closing as this a very old issue regarding behaviour change of an old version.
This gotcha is still biting people in 2018. It's not about when we made the change, it's about the fact that silently overwriting files is wrong.