Open hfhbd opened 1 year ago
I assume this also has another security advantage: Currently the checksum is allowed to match any of the checksums of the 200+[^1] versions. This likely makes it easier (but it is still difficult) to create a malicious JAR which has a hash collision with any of the 200+ possible checksums, than causing a hash collision with a single checksum.
[^1]: Maybe that number is too high, since multiple versions might use the same wrapper version.
You could update the Gradle version in the properties but forget to update the wrapper too.
This could also be a (theoretically) security risk by checking-in a valid but outdated wrapper which could have vulnerabilities.