-
|
I didn't look too deep into it, but I didn't see any explicit mention of it, trying to avoid Kotlin runtime version conflicts... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Sorry, this was a metadata leak from the build system and not a compile / runtime dependency. I was receiving CVE alerts for test and build plugins that used older versions of Kotlin, so I used a dependency constraint to force the minimum version. This way the build would be less as susceptible to supply chain attacks (e.g. codecov, circleci, solarwinds exploits). In Maven this is simply the an addition to the dependencyManagement section that does not impact resolution outside of that dependency itself, so noise. In Gradle they now prefer their own module metadata over the maven pom where the constraint gets applied globally to the project. Anyway, the build was fixed to no longer leak this in future releases. If it causes a lot of headache then I can cut a new release, else you can simply ignore it in your build. The library does not have any required dependencies, just static analysis annotations that are optional. |
Beta Was this translation helpful? Give feedback.
Sorry, this was a metadata leak from the build system and not a compile / runtime dependency. I was receiving CVE alerts for test and build plugins that used older versions of Kotlin, so I used a dependency constraint to force the minimum version. This way the build would be less as susceptible to supply chain attacks (e.g. codecov, circleci, solarwinds exploits). In Maven this is simply the an addition to the dependencyManagement section that does not impact resolution outside of that dependency itself, so noise. In Gradle they now prefer their own module metadata over the maven pom where the constraint gets applied globally to the project.
Anyway, the build was fixed to no longer leak t…