Thanks Michael, indeed this can be better worded What about? How to programatically list a poms dependencies (incl transitive) without the risk of running untrusted/unauthorized code?
-- -- Aldrin Leal, <ald...@leal.eng.br> / https://aldrinleal.link On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov <micha...@apache.org> wrote: > Am 2022-12-16 um 18:02 schrieb Aldrin Leal: > > Hello, > > > > Just a question I'd like to confirm with you guys: How "safe" is to run > > `dependency:tree` on a given arbitrary pom? > > > > I mean, whats the likelihood of that pom.xml triggering some "unsafe" > code? > > > > And how would you do this in (listing all the required runtime jar files > > for a given project) the most secure way if you were given this task? > > Safety and security are two different things. What are you striving for? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >