gnodet commented on PR #22344: URL: https://github.com/apache/camel/pull/22344#issuecomment-4159927821
_Claude Code on behalf of Guillaume Nodet_ Follow-up on point 4 from my review — on further thought, stripping `<distributionManagement>` is questionable and should probably be reconsidered: `<distributionManagement>` contains repository **URLs** and IDs, not credentials. The actual credentials for those repositories live in `settings.xml` under `<servers>` (matched by `<id>`). At most, the URLs reveal internal hostnames, but that's not in the same category as passwords/tokens/API keys. Stripping it removes legitimate POM information with no real security benefit. I'd suggest removing `<distributionManagement>` from the sanitizer's scope — or at minimum, making it opt-in rather than default behavior. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
