Closed ST-DDT closed 5 years ago
Do you have a link to an article outlining reasoning, or perhaps recommendations for Maven project maintainers? I assume this is due to security concerns, but not sure what is the specific reasoning -- does Maven or some other tool directly resolve URL for anything but information purposes?
Do you have a link to an article outlining reasoning, or perhaps recommendations for Maven project maintainers? I assume this is due to security concerns, but not sure what is the specific reasoning
Unfortunately I couldn't find a link that recommends either (at least for Maven). I mostly found questions from users trying to avoid the other.
I (and probably a huge part of the internet) recommend https though, and some famous browsers start nagging about http. (I guess I'm not saying anything new for you here)
Well, it feels so wrong to paste links to "should I use https?" to a developer of such an important/good library, so I only paste this (funny but true) one:
does Maven or some other tool directly resolve URL for anything but information purposes?
AFAICT Maven doesn't use the project.url or scm.url for anything, but the generated documentation.
You can test this with mvn site
-> dependencies . It will then list all libraries with all their links (project url, license urls...)
@cowtowncoder would you be able to cut a release with this change? It feels unnecessarily tedious, but tools like SourceClear are reporting vulns against this, and I'd rather bump a dependency in my projects than argue about why this vuln is irrelevant. Cheers!
@gjoseph Jesus Fucking Christ security tools are stupid. Can you send me a link or something? I don't really want to do a release for cosmetic change with nothing of use... but I am curious now what kind of godforsaken pile of crap flags a package for such thing. :-(
Sorry :D This link should be it but it doesn't offer much if you're not logged in: https://www.sourceclear.com/vulnerability-database/vulnerabilities/21514
I also could use an updated release due to the Sourceclear issue.
Released 1.5.1, should be on its way to Maven Central.
Sorry for the late reply, but, excellent, thanks @cowtowncoder !
https://github.com/FasterXML/java-classmate/blob/master/pom.xml#L15