undefined | Better HN

0 pointsmschuster916d ago0 comments

> Wake me up when the daily npm security breach headlines are typosquatting stories, not RCE-on-build or RCE-on-upgrade.

RCE-on-build/upgrade can be done in Maven if you manage to compromise one of the major Maven plugins, they run at build time. The thing keeping maven safe for now is that most people pin the plugin and dependency versions, with the obvious side effect that it's truly annoying to get all your dependencies updated.

0 comments

gred6d ago

> The thing keeping maven safe for now is that most people pin [...] versions

Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc.

j / k navigate · click thread line to collapse

0 comments

gred6d ago

> The thing keeping maven safe for now is that most people pin [...] versions

j / k navigate · click thread line to collapse