CEOWORLD magazine

The Security Ripple Effect of End-of-Life Packages and Their Dependencies

When an open-source component reaches end of life (EOL), the risks extend far beyond that single package. Most components rely on third-party libraries, creating chains of transitive dependencies.
IEEE

Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven

Abstract: The modern software development landscape heavily relies on transitive dependencies. They enable seamless integration of third-party libraries. However, they also introduce security ...
IEEE

Decoding Dependency Risks: A Quantitative Study of Vulnerabilities in the Maven Ecosystem

Abstract: This study investigates vulnerabilities within the Maven ecosystem by analyzing a comprehensive dataset of $14,459,139$ releases. Our analysis reveals the most critical weaknesses that pose ...
GitHub

[MSHADE-465] Limit depth of transitive dependency promotion

In order for a shaded jar to be a drop-in replacement, promoteTransitiveDependencies should be true. This has an annoying side-effect of flattening the dependency tree. For example, suppose you have a ...
GitHub

[MWAR-111] Transitive dependencies of optional dependencies are included in WEB-INF/lib

A JAR module (TestJAR) which has one dependency: commons-lang 2.3 A WAR module (TestWAR) which uses these instructions to declare a dependency on TestJAR so that TestJAR is included in TestWAR's ...