You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Tom VanDeGrift <tv...@gmail.com> on 2021/05/04 18:04:51 UTC
maven-dependency-plugin 3.1.3?
I have been hunting down old security "vulnerable" versions of struts that
have been showing up in my .m2 directory, which is raising flags from my
Security people. The dependency seems to be coming from an old
doxia-site-renderer. It has been updated to not have a dependency on
struts at all with version 1.9.2. Many of the maven plugins have been
updated and released using this updated version of doxia-site-renderer.
Unfortunately maven-dependency-plugin has not been released with this
update. So it is impossible to fully update to that version of
doxia-site-renderer, as the version from the maven-dependency-plugin 3.1.2
cannot be updated by specifically overriding the dependency version in
pluginManagement before it pulls down struts (chicken and egg issue).
Looking at the repo on github, there was a tag created for
maven-dependency-plugin 3.1.3 which looks to use the updated
doxia-site-renderer back in Oct. 2020, but it has not been released (or at
least maven central still only has v3.1.2). Is there a plan for releasing
it or a newer version soon?
Thanks,
Tom
Re: maven-dependency-plugin 3.1.3?
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
As far as I know, no one is currently working on this and no one has
stepped forward to fund this work with either hours or dollars.
On Wed, May 5, 2021 at 5:49 AM Tom VanDeGrift <tv...@gmail.com> wrote:
>
> I have been hunting down old security "vulnerable" versions of struts that
> have been showing up in my .m2 directory, which is raising flags from my
> Security people. The dependency seems to be coming from an old
> doxia-site-renderer. It has been updated to not have a dependency on
> struts at all with version 1.9.2. Many of the maven plugins have been
> updated and released using this updated version of doxia-site-renderer.
> Unfortunately maven-dependency-plugin has not been released with this
> update. So it is impossible to fully update to that version of
> doxia-site-renderer, as the version from the maven-dependency-plugin 3.1.2
> cannot be updated by specifically overriding the dependency version in
> pluginManagement before it pulls down struts (chicken and egg issue).
> Looking at the repo on github, there was a tag created for
> maven-dependency-plugin 3.1.3 which looks to use the updated
> doxia-site-renderer back in Oct. 2020, but it has not been released (or at
> least maven central still only has v3.1.2). Is there a plan for releasing
> it or a newer version soon?
>
> Thanks,
> Tom
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org