Managed Dependencies #867
-
|
caffeine 3.1.2 has a lot of Managed Dependencies. Is this an error?! I would think so... In a project I use an old version of protobuf (because of other dependencies) and it's getting version conflicts using this caffeine version. Versions 3.1.1 and bellow don't have this problem... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Yes, it was an accidental metadata leak which should be resolved in 396a940 and 7321a56. The security scanners were warning about test libraries and build plugin transitive dependencies, I suppose because exploits of CI/CD are becoming more common threats now. The dependency constraints leaked into the external metadata. I was hoping to do a final review of the changes and release this week. |
Beta Was this translation helpful? Give feedback.
-
|
Released 3.1.3 |
Beta Was this translation helpful? Give feedback.
-
|
Thank you. BTW, do you know how long it usually takes to show up in maven repository? |
Beta Was this translation helpful? Give feedback.
-
|
It usually takes about 10 minutes to get into the repository and an hour to get indexed for the search ui. Sometimes search takes longer or I’ll have to file a ticket, but getting into the repository is always within 1-2 hours at worst. |
Beta Was this translation helpful? Give feedback.
-
|
Oh I meant central (maven.org), I don’t know about mvnrepository which is unrelated and often confused as if official. Probably a day or two. |
Beta Was this translation helpful? Give feedback.
Yes, it was an accidental metadata leak which should be resolved in 396a940 and 7321a56. The security scanners were warning about test libraries and build plugin transitive dependencies, I suppose because exploits of CI/CD are becoming more common threats now. The dependency constraints leaked into the external metadata. I was hoping to do a final review of the changes and release this week.