From ad62c78a91a022553c0283b2d0acd0a69cc40c0e Mon Sep 17 00:00:00 2001 From: Harsh Mehta Date: Tue, 16 Dec 2025 17:39:08 +0530 Subject: [PATCH] Add security warnings against version ranges and special version qualifiers Signed-off-by: Harsh Mehta --- content/markdown/pom.md | 4 ++++ content/markdown/security.md | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/content/markdown/pom.md b/content/markdown/pom.md index 50e4c3a49c..bfd70e09c1 100644 --- a/content/markdown/pom.md +++ b/content/markdown/pom.md @@ -314,6 +314,8 @@ Version requirements have the following syntax: Maven picks the highest version of each project that satisfies all the hard requirements of the dependencies on that project. If no version satisfies all the hard requirements, the build fails. +**Security Warning**: The use of version ranges (hard requirements with brackets and parentheses) is **strongly discouraged** due to security concerns. Version ranges introduce unpredictability in builds, can lead to non-reproducible builds, and may unexpectedly pull in vulnerable versions of dependencies. Always prefer using explicit, fixed version numbers for dependencies to ensure build reproducibility and security. For similar reasons, the use of `min` and `max` suffixes in version strings should also be avoided (see [Version Order Specification](#version-order-specification) below). + #### Version Order Specification If version strings are syntactically correct [Semantic Versioning 1.0.0](https://semver.org/spec/v1.0.0.html) @@ -399,6 +401,8 @@ Following semver rules is encouraged, and some qualifiers are discouraged: * Avoid non-ASCII characters, including non-ASCII digits, which may sort in surprising ways. * Avoid upper case characters. +**Security Warning**: The usage of `min` and `max` suffixes in version strings is **strongly discouraged** as they represent a security vulnerability similar to version ranges. These special qualifiers can lead to unpredictable dependency resolution behavior and potential security risks. Always use explicit, fixed version numbers for dependencies instead of relying on `min` or `max` qualifiers. + End Result Examples: * `1` \< `1.1` (number padding) diff --git a/content/markdown/security.md b/content/markdown/security.md index b2a64a0cc4..15698d3e21 100644 --- a/content/markdown/security.md +++ b/content/markdown/security.md @@ -31,6 +31,27 @@ the code, dependencies and repositories that are used in your build. If you want to use Maven to build untrusted code, it is up to you to provide the required isolation. +## Security Best Practices + +### Avoid Version Ranges and Special Version Qualifiers + +**Strongly discouraged**: The use of version ranges and special version qualifiers like `min` and `max` suffixes. + +Version ranges (e.g., `[1.0,2.0)`, `[1.5,)`) and special version qualifiers (e.g., `-min`, `-max`) introduce several security concerns: + +- **Non-reproducible builds**: Different versions may be resolved at different times, making builds unpredictable +- **Unexpected vulnerabilities**: Newer versions within a range may contain security vulnerabilities that weren't present when the dependency was initially added +- **Supply chain attacks**: Attackers could publish malicious versions within an acceptable range +- **Lack of determinism**: The same `pom.xml` may produce different artifacts depending on when and where it's built + +**Best Practice**: Always use explicit, fixed version numbers for dependencies (e.g., `1.2.3` instead of `[1.0,2.0)` or `1.2.3-min`). This ensures: +- Build reproducibility +- Predictable dependency resolution +- Better security auditing +- Explicit control over dependency updates + +See the [POM Reference documentation](./pom.html#dependency-version-requirement-specification) for more details on version specifications and the [Version Order Specification](./pom.html#version-order-specification) for information about version qualifiers. + ## Security Vulnerabilities Please note that binary patches are not produced for individual