Hej, Regarding the 2nd question: that feature is present in 3.9.2+ and is called "Trusted Checksums". It applies to all resolution operations, not only "already downloaded".
See here: https://maven.apache.org/resolver/expected-checksums.html https://stackoverflow.com/questions/78746427/how-to-use-maven-resolver-trusted-checksums-to-ensure-artifact-integrity but "demo" is here: https://github.com/cstamas/tc-demo HTH T On Tue, Sep 17, 2024 at 12:22 PM Delany <delany.middle...@gmail.com> wrote: > > Maven 4 comes with --strict-checksums on by default. > Do i understand correctly that this protection only applies for > dependencies that have previously been downloaded? > And that there's value in implementing something like > https://github.com/chains-project/maven-lockfile or > https://github.com/vandmo/dependency-lock-maven-plugin ? > > Thanks, > Delany --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
