|
|
|
|
|
|
by gred
23 days ago
|
|
|
> The thing keeping maven safe for now is that most people pin [...] versions Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc. |
|
|