Make sure your maven artifacts are provided scope then your users can continue using old versions just fine to the 3.3.9 support level you have now.
Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Anton Vodonosov <avodono...@yandex.ru> Sent: Monday, August 28, 2023 11:14:30 AM To: dev@maven.apache.org <dev@maven.apache.org> Subject: CVE-2021-26291 for plugin writers Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven.apache.org%2Fdocs%2F3.8.1%2Frelease-notes.html&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYAH%2FA7JWCBPcZ%2F4wNuUVHJCiNcrh0oB1C8cYeIDhu0%3D&reserved=0<https://maven.apache.org/docs/3.8.1/release-notes.html> That's the best explanation of this CVE of all I saw online. But it misses guide for plugin authors. GitHub's security scanner created this alert for my plugin https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fsecurity%2Fdependabot%2F3&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rB3V4hX6%2BaN9B8yhv7yrQolTXDL7USf0VkLn75fFvmU%3D&reserved=0<https://github.com/avodonosov/hashver-maven-plugin/security/dependabot/3> and a corresponding pull request, where it suggest to change dependency maven-core from 3.3.8 to 3.8.1: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fpull%2F11&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=09QeFG3AtERkHZAQ0Wyd%2BjIJMaYQmYqf8qoNl20K%2FZ4%3D&reserved=0<https://github.com/avodonosov/hashver-maven-plugin/pull/11> I am reluctant to commit this change because I am afraid the plugin may stop working for users of older maven versions. I suppose this CVE is not relevant to plugin authors, my reasoning is in the pull request comments. Am I right that the CVE does not affect the plugin? It would be good if the 3.8.1 release notes were extended with explanations is it safe for plugins to depend on older versions of maven libs. Best regards, - Anton --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
