rmannibucau commented on pull request #58: URL: https://github.com/apache/maven-plugin-tools/pull/58#issuecomment-1000776513
Maven comes OOTB with: ```` apache-maven-3.8.4\lib\maven-artifact-3.8.4.jar apache-maven-3.8.4\lib\maven-builder-support-3.8.4.jar apache-maven-3.8.4\lib\maven-compat-3.8.4.jar apache-maven-3.8.4\lib\maven-core-3.8.4.jar apache-maven-3.8.4\lib\maven-embedder-3.8.4.jar apache-maven-3.8.4\lib\maven-model-3.8.4.jar apache-maven-3.8.4\lib\maven-model-builder-3.8.4.jar apache-maven-3.8.4\lib\maven-plugin-api-3.8.4.jar apache-maven-3.8.4\lib\maven-repository-metadata-3.8.4.jar apache-maven-3.8.4\lib\maven-resolver-api-1.6.3.jar apache-maven-3.8.4\lib\maven-resolver-connector-basic-1.6.3.jar apache-maven-3.8.4\lib\maven-resolver-impl-1.6.3.jar apache-maven-3.8.4\lib\maven-resolver-provider-3.8.4.jar apache-maven-3.8.4\lib\maven-resolver-spi-1.6.3.jar apache-maven-3.8.4\lib\maven-resolver-transport-wagon-1.6.3.jar apache-maven-3.8.4\lib\maven-resolver-util-1.6.3.jar apache-maven-3.8.4\lib\maven-settings-3.8.4.jar apache-maven-3.8.4\lib\maven-settings-builder-3.8.4.jar apache-maven-3.8.4\lib\maven-shared-utils-3.3.4.jar apache-maven-3.8.4\lib\maven-slf4j-provider-3.8.4.jar ```` From there, maven-plugin-api and maven-model are public, part (part is important there) of maven-core is too and rest is fully undefined or private as of today - not 100% sure for artifact since it changed a bit but agree it used to leak so I assume it is okish to include it. This is only for built-in maven artifacts and not maven ecosystem so guess we can only whitelist the 2-3 dependencies and not include all and exclude a few in terms of impl. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
