Hi, I've been working on an internal presentation on how letting Maven's dependency mediation feature select versions of transitive dependencies can introduce vulnerabilities into a product and how to deal with that problem. Unfortunately, it's a very manual process and I was thinking that perhaps changes could be made to Maven that would provide better automation. To that end I'm wondering if the team has ever considered adding a section to the POM that would list significant changes in that release. This would include a list of vulnerabilities fixed (e.g. CVE-XXXX-YYYY) or serious bugs fixed. Each one could include a known set of versions affected (ala how CVEs work today) thus allowing tooling to say: the version of artifact XYZ you're using has a known vulnerability, would you like to upgrade to this new version with that vuln fixed?
On a related note, has a different dependency mediation system ever been considered (as an option), e.g. latest version or latest version on a branch? Thanks, David
