[jira] [Commented] (MNG-8569) Deprecate and remove version ranges

Sat, 05 Apr 2025 10:48:24 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-8569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17938905#comment-17938905
 ] 

Elliotte Rusty Harold commented on MNG-8569:
--------------------------------------------

I think you're making a good case for why internal repos should be mono repos 
with one version only policies. This is what the some of the largest tech 
companies including Google and Meta do, and it works much better with stronger 
collaboration across teams and many fewer dependency conflicts.

Maven is by design and intent a opinionated tool that does not try to support 
every possible build setup. I think we should opinionate that versions need to 
be pinned. 

> Deprecate and remove version ranges
> -----------------------------------
>
>                 Key: MNG-8569
>                 URL: https://issues.apache.org/jira/browse/MNG-8569
>             Project: Maven
>          Issue Type: Improvement
>            Reporter: Elliotte Rusty Harold
>            Priority: Major
>             Fix For: 4.x / Backlog
>
>
> To protect Maven users, we should eliminate, or at the very least warn, when 
> version ranges are used in dependency elements. See 
> [https://jlbp.dev/JLBP-14] for the rationale. tldr; version ranges make 
> projects vulnerable to malicious changes of ownership in dependencies that 
> can lead to remotely exploitable arbitrary code execution. I'd rate this 
> about a 9.0 on the severity scale. 
> I don't know of an attack using this vector in Java (yet) but it has
> been used multiple times in other ecosystems to steal bitcoins and
> install malware. Java has been lucky so far, but we are by no means
> immune to it.
> Since this is a compatibility breaking change, which I don't take likely but 
> IMHO is worth it in this case, use a multi-step process:
>  # Discourage this in the docs for version ranges, especially the POM 
> reference.
>  # Warn about this in the build when version ranges are encountered.
>  # Formally deprecate the relevant code in the repo. (Might not be necessary.)
>  # Add a switch (system property) to disable version ranges. Switch is off by 
> default. 
>  # Turn the switch on by default. 
>  # Remove the switch.
> This might take a few years, so let's start now. It's also possible an active 
> attack will push us to do this overnight. If we start now, maybe we'll be 
> lucky enough to avoid emergency responses in the future.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to