Fork me on GitHub

Maybe stating the obvious, but if it’s a non-snapshot, and available locally, that one will be used.


yup, I'm thinking about it from the dependency confusion angle. If I specify [org.clojure/clojure "1.10.0"] and version "99.0" is available elsewhere, then I won't get the "99.0" version. I'll get what I specified


vs if "1.10.0" is available in a different repo, it's not as clear which will get picked up


IMO the right answer is "don't let that non-owners of that artifact upload it elsewhere", but I'm making sure I understand the problem as it stands today


It's a known risk/exploit with a lot of package managers. With maven central at least it's very hard to get something in. The exploit is when you know some company is using an internal library, and upload the same, or a newer version to the central 'store'.


yes - hard to get something in Maven, and version globs are so much rarer in the Maven world