>From my line of usage: These two jars: org.apache.maven:maven-plugin-api:jar:3.9.14 org.apache.maven:maven-core:jar:3.9.14
If you look on the pom, you will see: https://github.com/apache/maven/blob/maven-3.9.x/pom.xml#L138 On Thu, Apr 2, 2026 at 7:22 AM Guillaume Nodet <[email protected]> wrote: > > Do you know which jars depend on this plexus-utils 3.6.0 ? > > Le jeu. 2 avr. 2026 à 13:02, Clebert Suconic <[email protected]> a > écrit : > > > Plexus utils 3.6.0 is affected by a CVE: > > > > https://gist.github.com/weaver4VD/3216dac645220f8c9b488362f61241ec > > > > > > > > Would be possible to update the dependency by a non affected version > > (I think 3.9.0?) and have a maven 3.9.15 with the upgrade? > > > > I develop a maven plugin and that makes my code to appear in security > > scanners, even though the dependency has a provided scope and is > > downloaded by Maven itself. > > > > > > > > Thank you > > > > -- > > Clebert Suconic > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > -- > ------------------------ > Guillaume Nodet -- Clebert Suconic --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
