elharo commented on code in PR #1494: URL: https://github.com/apache/maven-site/pull/1494#discussion_r2624108024
########## content/markdown/pom.md: ########## @@ -314,6 +314,8 @@ Version requirements have the following syntax: Maven picks the highest version of each project that satisfies all the hard requirements of the dependencies on that project. If no version satisfies all the hard requirements, the build fails. +**Security Warning**: The use of version ranges (hard requirements with brackets and parentheses) is **strongly discouraged** due to security concerns. Version ranges introduce unpredictability in builds, can lead to non-reproducible builds, and may unexpectedly pull in vulnerable versions of dependencies. Always prefer using explicit, fixed version numbers for dependencies to ensure build reproducibility and security. For similar reasons, the use of `min` and `max` suffixes in version strings should also be avoided (see [Version Order Specification](#version-order-specification) below). Review Comment: also, not all uses of brackets and parentheses introduce version ranges. They can also be used to pin a specific version during transitive dependency resolution -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
