maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Scholte" <rfscho...@apache.org>
Subject Re: Plan to enable developers to consume maven-core without CVE
Date Mon, 15 Feb 2021 18:37:10 GMT
We could consider to do  Maven APIs/SPIs for Maven 5, not earlier. Maven 4 is already hard
enough to reach release ready status, so let's not increase the scope.
It will require a complete new set of interfaces in their own packages, which would also help
with the split package issue of the java module system.
The challenge would be to define which classes and components we consider internal, and which
one should be exposed via an API or SPI.

Robert


On 15-2-2021 18:27:09, Romain Manni-Bucau <rmannibucau@gmail.com> wrote:
Hi everybody,

As of today if you depend on maven-core 3.6.3 you get CVE warning until you
force in your project another guava version.
Do we have any plan to make it hurtless?
Is it related to make a plugin oriented (public) API dependency?

Romain Manni-Bucau
@rmannibucau | Blog
| Old Blog
| Github |
LinkedIn | Book


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message