Y
Hacker News
new
|
ask
|
show
|
jobs
by
oftenwrong
205 days ago
Maven does not support "scripts" as NPM does, such as the pre-install script used for this exploit. With scripts enabled, the mere act of downloading a dependency requires a high degree of trust in it.
1 comments
15155
205 days ago
Downloading a dependency also requires a high degree of trust in whatever transitive dependencies that a trusted dependency decides to pull in.
link