i can see using import bom pom being used to import entire dependency tree for current Javascript library http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies
Maven – Introduction to the Dependency Mechanism<http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies> Introduction to the Dependency Mechanism. Dependency management is a core feature of Maven. Managing dependencies for a single project is easy. Managing dependencies for multi-module projects and applications that consist of hundreds of modules is possible. maven.apache.org the other item is how to exclude malware libraries brought in by version-ranges? https://jlbp.dev/JLBP-14.html [JLBP-14] Do not use version ranges<https://jlbp.dev/JLBP-14.html> Tools for detecting and avoiding linkage errors in GCP open source projects jlbp.dev specific example states harmless event-stream included malware dependency flatmap-stream https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/ [https://regmedia.co.uk/2018/09/14/shutterstock_634574354.jpg]<https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/> Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week) • The Register<https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/> A widely used Node.js code library listed in NPM's warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two ... www.theregister.co.uk which can be mitigated by using maven-enforcer-plugin with <banned-dependencies> configuration before i support the ability for maven-enforcer-plugin to ban all malware dependencies i am unsure if maven-enforcer-plugin would be 'smart enough' to check dependency graph from import bom pom thoughts? ________________________________ From: Lukasz Lenart <lukaszlen...@apache.org> Sent: Tuesday, November 26, 2019 3:28 AM To: Struts Developers List <dev@struts.apache.org> Subject: Google Best Practices for Java Libraries It's really interesting, some obvious ideas but still worth (re)reading https://jlbp.dev/ Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
