Re: [PR] Add dependency:add, dependency:remove, and dependency:search goals [maven-dependency-plugin]

Fri, 03 Apr 2026 12:19:08 -0700 


brunoborges commented on PR #1599:
URL: 
https://github.com/apache/maven-dependency-plugin/pull/1599#issuecomment-4184847584

   ## Audit fixes (8a5e16cb)
   
   Performed a thorough audit of all 5 source files (`AddDependencyMojo`, 
`RemoveDependencyMojo`, `PomEditor`, `DependencyEntry`, 
`AbstractDependencyMojo`) for NPE risks, validation gaps, security issues, 
resource leaks, and dead code.
   
   ### Fixed in this commit:
   
   1. **🔴 Temp file leak in `PomEditor.save()`** — The old `catch 
(IOException)` block only cleaned up the temp file on `IOException`. If 
`toXml()` threw a `RuntimeException`, the temp file would leak. Fixed by using 
a `finally` block with a success flag to ensure cleanup on any exception path.
   
   2. **🔴 Stale javadoc in `AddDependencyMojo`** — Class javadoc still 
referenced "BOM import shorthand" which was removed in 9c304854. Removed the 
stale text.
   
   3. **🟡 Case-sensitive XXE check in `PomEditor.load()`** — The DOCTYPE check 
used `content.contains("<!DOCTYPE")` which is case-sensitive. While standard 
XML parsers reject lowercase variants, as defense-in-depth we now use 
case-insensitive matching and also check for `<!ENTITY` declarations. Added a 
test for the lowercase bypass.
   
   4. **🟡 Dead code: `updateDependency()` + helpers** — `updateDependency()`, 
`setOrRemoveChild()`, and `removeChildElement()` had no mojo callers since the 
`updateExisting` behavior was removed. Removed the dead methods and their 4 
tests (net −164 lines).
   
   ### Reviewed and accepted (no fix needed):
   
   5. **`threadSafe=true` without synchronization** — Maven's parallel build 
does not execute the same mojo against the same project instance concurrently, 
so the model mutation after `save()` is safe in practice.
   
   6. **Path traversal in `checkChildModuleDependencies`** — Module names come 
from Maven's already-parsed `Model`, which validates module paths during 
project loading. The code only reads `pom.xml` files. Very low risk.
   
   All 389 tests pass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to