I’m sure this is a dumb question, but if the version of maven-dependency-plugin is not specified in the pom, it will use the version selected by maven itself? I’m asking because I’m fighting a security CI pipeline that’s reporting a version that shouldn’t be there.
Yeah, it comes from the base pom or super pom or whatever they call it
https://maven.apache.org/ref/3.6.3/maven-model-builder/super-pom.html