Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version: https://maven.apache.org/docs/3.8.1/release-notes.html
That's the best explanation of this CVE of all I saw online. But it misses guide for plugin authors. GitHub's security scanner created this alert for my plugin https://github.com/avodonosov/hashver-maven-plugin/security/dependabot/3 and a corresponding pull request, where it suggest to change dependency maven-core from 3.3.8 to 3.8.1: https://github.com/avodonosov/hashver-maven-plugin/pull/11 I am reluctant to commit this change because I am afraid the plugin may stop working for users of older maven versions. I suppose this CVE is not relevant to plugin authors, my reasoning is in the pull request comments. Am I right that the CVE does not affect the plugin? It would be good if the 3.8.1 release notes were extended with explanations is it safe for plugins to depend on older versions of maven libs. Best regards, - Anton --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
