You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have some issue regarding the maven version. Some users want a minimal maven version, #4248 while from a security perspective, we should use an update to date one. The MavenLauncher uses internally mvn dependency:build-classpath. This command should invoke at least the maven dependency resolution, which will make network calls. This has a large attack surface. The old solution with version ranges has the problem of build reproduction. Version ranges make a maven build non-reproducible, see #5300 for the PR I merged.
Any opinions or solutions to this?
The text was updated successfully, but these errors were encountered:
@I-Al-Istannen showed me the Maven-invoker is using the system installed maven. So, we could safely downgrade to an outdated maven version and add a comment explaining this old version.
We have some issue regarding the maven version. Some users want a minimal maven version, #4248 while from a security perspective, we should use an update to date one. The
MavenLauncher
uses internallymvn dependency:build-classpath
. This command should invoke at least the maven dependency resolution, which will make network calls. This has a large attack surface. The old solution with version ranges has the problem of build reproduction. Version ranges make a maven build non-reproducible, see #5300 for the PR I merged.Any opinions or solutions to this?
The text was updated successfully, but these errors were encountered: