[ https://issues.apache.org/jira/browse/SLING-12331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850329#comment-17850329 ]
Konrad Windszus commented on SLING-12331: ----------------------------------------- The proper fix is to change the Maven dependencies provided by the Maven distribution to scope {{provided}}. That way they are no longer downloaded (for no reason). Compare with https://issues.apache.org/jira/browse/MPLUGIN-370. > Update sling maven plugins to maven 3.8.x > ----------------------------------------- > > Key: SLING-12331 > URL: https://issues.apache.org/jira/browse/SLING-12331 > Project: Sling > Issue Type: Improvement > Components: Maven Plugins and Archetypes > Reporter: Dirk Rudolph > Priority: Major > > We recently got some security vulnerability reported related to maven-core, > which is a transitive dependency used in many / some of the sling maven > plugins. > While maven-core is always take from the maven installation in the current > version, the vulnerable jars are downloaded when using the plugins, and hence > found and reported by security scanners. > We should update our maven plugins to use the 3.8.x version of maven at least. -- This message was sent by Atlassian Jira (v8.20.10#820010)