[
https://issues.apache.org/jira/browse/MNG-8569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925962#comment-17925962
]
Guillaume Nodet edited comment on MNG-8569 at 2/11/25 11:58 AM:
----------------------------------------------------------------
I see two things that could be done:
* have a way to configure which version is selected in a given range: Maven
currently selects the highest, but we could make it configurable so that the
lowest would be selected by default (this is different than the
{{MAVEN_VERSION_FILTER}} property which actually changes the output of the
range resolution
* change the consumer POM to not use range, but rather use the resolved version
I think ranges can be useful to express which versions of a given dependency
are supported, but I'm not really sure why this would imply to always select
the highest one.
Or maybe extend the syntax to support specifying the default version:
{{<version>2.1[2,3)</version>}} which would mean select version 2.1 by default,
the range being {{2,3)}}. (or any other syntax).
We could then warn if no default version is specified.
was (Author: gnt):
I see two things that could be done:
* have a way to configure which version is selected in a given range: Maven
currently selects the highest, but we could make it configurable so that the
lowest would be selected by default (this is different than the
{{MAVEN_VERSION_FILTER}} property which actually changes the output of the
range resolution
* change the consumer POM to not use range, but rather use the resolved version
I think ranges can be useful to express which versions of a given dependency
are supported, but I'm not really sure why this would imply to always select
the highest one.
Or maybe extend the syntax to support specifying the default version:
{{<version>2.1[2,3)</version>}} which would mean select version 2.1 by default,
the range being {{2,3)}}.
> Deprecate and remove version ranges
> -----------------------------------
>
> Key: MNG-8569
> URL: https://issues.apache.org/jira/browse/MNG-8569
> Project: Maven
> Issue Type: Improvement
> Reporter: Elliotte Rusty Harold
> Priority: Critical
>
> To protect Maven users, we should eliminate, or at the very least warn, when
> version ranges are used in dependency elements. See
> [https://jlbp.dev/JLBP-14] for the rationale. tldr; version ranges make
> projects vulnerable to malicious changes of ownership in dependencies that
> can lead to remotely exploitable arbitrary code execution. I'd rate this
> about a 9.0 on the severity scale.
> I don't know of an attack using this vector in Java (yet) but it has
> been used multiple times in other ecosystems to steal bitcoins and
> install malware. Java has been lucky so far, but we are by no means
> immune to it.
> Since this is a compatibility breaking change, which I don't take likely but
> IMHO is worth it in this case, use a multi-step process:
> # Discourage this in the docs for version ranges, especially the POM
> reference.
> # Warn about this in the build when version ranges are encountered.
> # Formally deprecate the relevant code in the repo. (Might not be necessary.)
> # Add a switch (system property) to disable version ranges. Switch is off by
> default.
> # Turn the switch on by default.
> # Remove the switch.
> This might take a few years, so let's start now. It's also possible an active
> attack will push us to do this overnight. If we start now, maybe we'll be
> lucky enough to avoid emergency responses in the future.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
