Bukama commented on code in PR #1494: URL: https://github.com/apache/maven-site/pull/1494#discussion_r2623960241
########## content/markdown/pom.md: ########## @@ -314,6 +314,8 @@ Version requirements have the following syntax: Maven picks the highest version of each project that satisfies all the hard requirements of the dependencies on that project. If no version satisfies all the hard requirements, the build fails. +**Security Warning**: The use of version ranges (hard requirements with brackets and parentheses) is **strongly discouraged** due to security concerns. Version ranges introduce unpredictability in builds, can lead to non-reproducible builds, and may unexpectedly pull in vulnerable versions of dependencies. Always prefer using explicit, fixed version numbers for dependencies to ensure build reproducibility and security. For similar reasons, the use of `min` and `max` suffixes in version strings should also be avoided (see [Version Order Specification](#version-order-specification) below). Review Comment: I would like to only have warning a warning on this page that using those (as well as min/max, latest etc) are not recommended as they can lead to undesired behavior and pulled in artifacts and that we recommend using the enforcer-rule to enforce it. And then link to the page where version ranges are described, which is https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html and which also needs a warning with a more detailed explanation and examples and a link to the rule. (at @elharo For me it's very similar to the system dependency: Maven support it and there are reasons to use it. Are those special and situations are rare? Yes, but they are there. So Maven should not warn about itself having a security problem, but explain it as best practice to avoid this pitfall. It's not a security problem of Maven, but of every automatic dependency mechanism. ########## content/markdown/security.md: ########## @@ -31,6 +31,27 @@ the code, dependencies and repositories that are used in your build. If you want to use Maven to build untrusted code, it is up to you to provide the required isolation. +## Security Best Practices Review Comment: I don't see the warning on this page. In my opinion this page is about CVE things. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
