Hi, We've noticed that the Maven Common Artifact Filters has a dependency on maven-resolver-util. This dependency has been downgraded from 1.6.3 to 1.4.1 in Common Artifact Filters 3.4.0.
This was done in commit https://github.com/apache/maven-common-artifact-filters/pull/36/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8L60-R60 . It has come to our attention that version 1.4.1 uses a PGP Key without a UID and we can't verify the maintainer of this version. a) Was the change intentional? b) Is the PGP key verifiable with the fingerprint org.apache.maven.resolver:maven-resolver-api:1.4.1 = 0x522CA055B326A636D833EF6A0551FD3684FCBBB7? Best regards Alexandra Steffan C1-Internal Use --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
