Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version:
https://maven.apache.org/docs/3.8.1/release-notes.html
That's the best explanation of this CVE of all I saw online.
But it misses guide for plugin authors.
GitHub's security scanner created this alert for my plugin
https://
Can this work also allow arbitrary property expression in a module ?
Currently, this practice is discouraged because the deployed pom with property
expression is meaningless.
The flatten-maven-plugin can produce correct poms for deployment,
with all properties resolved; despite maven prints the ha
