apache · HarshMehta112 · Dec 16, 2025 · Bukama · Dec 16, 2025 · elharo
diff --git a/content/markdown/pom.md b/content/markdown/pom.md
@@ -314,6 +314,8 @@ Version requirements have the following syntax:
 Maven picks the highest version of each project that satisfies all the hard requirements of the dependencies on that project.
 If no version satisfies all the hard requirements, the build fails.
 
+**Security Warning**: The use of version ranges (hard requirements with brackets and parentheses) is **strongly discouraged** due to security concerns. Version ranges introduce unpredictability in builds, can lead to non-reproducible builds, and may unexpectedly pull in vulnerable versions of dependencies. Always prefer using explicit, fixed version numbers for dependencies to ensure build reproducibility and security. For similar reasons, the use of `min` and `max` suffixes in version strings should also be avoided (see [Version Order Specification](#version-order-specification) below).
+
 #### Version Order Specification
 
 If version strings are syntactically correct [Semantic Versioning 1.0.0](https://semver.org/spec/v1.0.0.html)
@@ -399,6 +401,8 @@ Following semver rules is encouraged, and some qualifiers are discouraged:
 * Avoid non-ASCII characters, including non-ASCII digits, which may sort in surprising ways.
 * Avoid upper case characters.
 
+**Security Warning**: The usage of `min` and `max` suffixes in version strings is **strongly discouraged** as they represent a security vulnerability similar to version ranges. These special qualifiers can lead to unpredictable dependency resolution behavior and potential security risks. Always use explicit, fixed version numbers for dependencies instead of relying on `min` or `max` qualifiers.
+
 End Result Examples:
 
 * `1` \< `1.1` (number padding)

diff --git a/content/markdown/security.md b/content/markdown/security.md
@@ -31,6 +31,27 @@ the code, dependencies and repositories that are used in your build.
 If you want to use Maven to build untrusted code, it is up to you to
 provide the required isolation.
 
+## Security Best Practices
+
+### Avoid Version Ranges and Special Version Qualifiers
+
+**Strongly discouraged**: The use of version ranges and special version qualifiers like `min` and `max` suffixes.
+
+Version ranges (e.g., `[1.0,2.0)`, `[1.5,)`) and special version qualifiers (e.g., `-min`, `-max`) introduce several security concerns:
+
+- **Non-reproducible builds**: Different versions may be resolved at different times, making builds unpredictable
+- **Unexpected vulnerabilities**: Newer versions within a range may contain security vulnerabilities that weren't present when the dependency was initially added
+- **Supply chain attacks**: Attackers could publish malicious versions within an acceptable range
+- **Lack of determinism**: The same `pom.xml` may produce different artifacts depending on when and where it's built
+
+**Best Practice**: Always use explicit, fixed version numbers for dependencies (e.g., `1.2.3` instead of `[1.0,2.0)` or `1.2.3-min`). This ensures:
+- Build reproducibility
+- Predictable dependency resolution
+- Better security auditing
+- Explicit control over dependency updates
+
+See the [POM Reference documentation](./pom.html#dependency-version-requirement-specification) for more details on version specifications and the [Version Order Specification](./pom.html#version-order-specification) for information about version qualifiers.
+
 ## Security Vulnerabilities
 
 Please note that binary patches are not produced for individual