[jira] [Commented] (MNG-8569) Deprecate and remove version ranges

Tue, 25 Feb 2025 06:20:46 -0800 


    [ 
https://issues.apache.org/jira/browse/MNG-8569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17930351#comment-17930351
 ] 

Elliotte Rusty Harold commented on MNG-8569:
--------------------------------------------

Maybe I'm not understanding you. Are you suggesting that we change the current 
behavior so that [2.1,3) is the same as [2.1]? or that 

<version>[2.1,3)</version>

is the same as

<version>2.1</version>

Or is there some way it would differ that I'm not seeing?


> Deprecate and remove version ranges
> -----------------------------------
>
>                 Key: MNG-8569
>                 URL: https://issues.apache.org/jira/browse/MNG-8569
>             Project: Maven
>          Issue Type: Improvement
>            Reporter: Elliotte Rusty Harold
>            Priority: Critical
>
> To protect Maven users, we should eliminate, or at the very least warn, when 
> version ranges are used in dependency elements. See 
> [https://jlbp.dev/JLBP-14] for the rationale. tldr; version ranges make 
> projects vulnerable to malicious changes of ownership in dependencies that 
> can lead to remotely exploitable arbitrary code execution. I'd rate this 
> about a 9.0 on the severity scale. 
> I don't know of an attack using this vector in Java (yet) but it has
> been used multiple times in other ecosystems to steal bitcoins and
> install malware. Java has been lucky so far, but we are by no means
> immune to it.
> Since this is a compatibility breaking change, which I don't take likely but 
> IMHO is worth it in this case, use a multi-step process:
>  # Discourage this in the docs for version ranges, especially the POM 
> reference.
>  # Warn about this in the build when version ranges are encountered.
>  # Formally deprecate the relevant code in the repo. (Might not be necessary.)
>  # Add a switch (system property) to disable version ranges. Switch is off by 
> default. 
>  # Turn the switch on by default. 
>  # Remove the switch.
> This might take a few years, so let's start now. It's also possible an active 
> attack will push us to do this overnight. If we start now, maybe we'll be 
> lucky enough to avoid emergency responses in the future.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to