Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-3384

Repos defined in plugin are used to download dependencies

    XMLWordPrintableJSON

Details

    Description

      When a plugin defines a repository, the dependencies declared to and by this plugin are being resolved within these repositories. While this might be easier, it introduces a number of problems, including the fact that it cannot be controlled which repos are being used, security concerns (internal artifact names might be sent to a remote repository, a malicious plugin could define a fake repo with malicious "more recent" versions of almost anything).

      If there is no intention to change the current behaviour, there should be at least an option to disable it.

      More unspecifically, I think the situation got worse in 2.1-SNAPSHOT (I use the m2eclipse plugin), because I see lookups of SNAPSHOT versions of dependencies occur much more often than with 2.0.8.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MNG-3383 Downloaded plugin dependencies influence project dependencies

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MNG-3056 Dependencies should not be able to introduce repositories to the build

          • Major - Major loss of function.
          • Closed

          Activity

            People

              brett Brett Porter
              seidler Stefan Seidel
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: