|
|
|
|
|
|
by syjer
1960 days ago
|
|
|
You may notice that in the linked article, only the artifact id has been spoofed. In maven you need to declare both groupId and artifactId for your dependency (and a fixed version, a range is generally considered a bad practice). To be noted, it makes this kind of attack more difficult, but not impossibile. Especially the mix public/private artifacts. I guess it will force a lot of companies to at least lock their groupId on maven central, if they never bothered to do so. |
|
|