> If Maven or some other tool decides to update one of the selected jars > used by my project, it can introduce a version marked as a high security > risk. That's something I can't allow. >
You define a specific library version in your dependency management tool. There are also tools for Maven/Gradle that verify dependency signatures against a list of trusted signatures defined manually in the build script. That way you can make sure your download from Maven central / jcenter is the one you expect to download. Here an example of using Gradle with signature verification: https://docs.gradle.org/current/userguide/dependency_verification.html -- J. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/5315bf85-07aa-4efe-bdb8-f8316dec5695o%40googlegroups.com.
