[ https://issues.apache.org/jira/browse/OFBIZ-12186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17288554#comment-17288554 ]
Jacques Le Roux commented on OFBIZ-12186: ----------------------------------------- As I mentioned in the thread: we will later need to update the verification-metadata.xml file when updating dependencies. I have put https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check in Wiki Attic and copied its last section in the description of OFBIZ-10213 because of the switch from jcenter to Maven Central we also need to modify this last section. I have also https://cwiki.apache.org/confluence/display/OFBIZ/Load+new+gradle+wrapper+version+on+bintray in Wiki Attic We also need to update https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz > Dependency verification > ------------------------ > > Key: OFBIZ-12186 > URL: https://issues.apache.org/jira/browse/OFBIZ-12186 > Project: OFBiz > Issue Type: Sub-task > Components: Gradle > Affects Versions: Trunk > Reporter: Jacques Le Roux > Priority: Major > Attachments: verification-metadata.xml > > > I posted a related message in dev ML: > https://markmail.org/message/55r5ycn2wrbotnbn: > {quote} > Hi, > I just read a members thread about this article: > https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > One member mentioned that the Groovy project is using the Gradle's dependency > verification feature\[1] in the Apache Groovy build. > I suggest we do the same, even after the move from JCenter to MavenCentral > where things should be safer. > What do you think? > \[1] https://docs.gradle.org/current/userguide/dependency_verification.html > Jacques > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)