sql

souenzzo 2026-04-15T18:54:51.572849Z

Hello https://mvnrepository.com/artifact/com.github.seancorfield/honeysql mvnrepository lists a version 2.1.818 of com.github.seancorfield/honeysql, uploaded to jitpack. I'm not sure if it is some kind of supply chain attack But do not use/download this version.

souenzzo 2026-04-15T18:56:18.480719Z

seancorfield 2026-04-15T18:58:26.847429Z

No idea. But it's a) an ancient version of HoneySQL and b) who has jitpack configured as a repo for deps.edn or whatever?

souenzzo 2026-04-15T19:00:01.469609Z

It is pretty bad because if you land in current page of maven, it recommends the jitpack version Not sure if "deps updater" tools may do this too The jitpack version is only a pom with a older clojure version - no jar included.

seancorfield 2026-04-15T19:01:49.967959Z

How on Earth can it think 2.1.818 is "newer" than 2.7.1368?? What's the point of semantic versioning?

seancorfield 2026-04-15T19:03:06.725439Z

I forwarded this thread to the #honeysql channel BTW.

seancorfield 2026-04-15T19:07:36.944709Z

FWIW, that version is from Oct 4, 2021

souenzzo 2026-04-15T19:10:10.389849Z

Oh. Sorry for posting in the wrong channel I am now more confident that someone did a wrong upload - and it is not a supply chain attack (and mvnrepository may have a bug too?!). And other update tools do not recommend the weird version - which is a good thing.

seancorfield 2026-04-15T19:11:27.467009Z

I suspect antq doesn't even check jitpack?

seancorfield 2026-04-15T19:12:44.618899Z

So, I looked at the jitpack docs and it builds things from source, based on a GH URL and release version. It supports Leiningen (and mvn, sbt, gradle) but not the CLI deps.edn / tools.build so it's not useful to anyone for it to but up there... but also probably harmless?

2026-04-15T19:14:14.196139Z

2.1.818 is the first version that builds correctly on jitpack

2026-04-15T19:14:52.997619Z

and i have to wonder if mvn sorts jitpack over clojars for determining "latest"

seancorfield 2026-04-15T19:16:10.984279Z

Not mvn itself, but mvnrepository the website/app -- I don't even know what that's for, except "more information" across multiple repos?

seancorfield 2026-04-15T19:16:48.558499Z

I never use http://mvnrepository.com -- @souenzzo could you elaborate on how you found this?

souenzzo 2026-04-15T19:26:27.031099Z

mvnrepository used to be my standard (and trusted) way of checking for updates and versions - including renaming of artifacts and repository changes (that large Java projects do more often than I would like) I'm going to start being more suspicious of tools (like mvnrepository) before assuming something is wrong - Sorry for the panic PS1: Perhaps I became more frightened after reading dozens of articles recently about supply chain attacks. PS2: I sent an email reporting the bug to mvnrepository team

👍 1
👍🏻 1
1