[
https://issues.apache.org/jira/browse/SLING-12331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850329#comment-17850329
]
Konrad Windszus commented on SLING-12331:
-----------------------------------------
The proper fix is to change the Maven dependencies provided by the Maven
distribution to scope {{provided}}. That way they are no longer downloaded (for
no reason). Compare with https://issues.apache.org/jira/browse/MPLUGIN-370.
> Update sling maven plugins to maven 3.8.x
> -----------------------------------------
>
> Key: SLING-12331
> URL: https://issues.apache.org/jira/browse/SLING-12331
> Project: Sling
> Issue Type: Improvement
> Components: Maven Plugins and Archetypes
> Reporter: Dirk Rudolph
> Priority: Major
>
> We recently got some security vulnerability reported related to maven-core,
> which is a transitive dependency used in many / some of the sling maven
> plugins.
> While maven-core is always take from the maven installation in the current
> version, the vulnerable jars are downloaded when using the plugins, and hence
> found and reported by security scanners.
> We should update our maven plugins to use the 3.8.x version of maven at least.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
