Hello
https://mvnrepository.com/artifact/com.github.seancorfield/honeysql
mvnrepository lists a version 2.1.818 of com.github.seancorfield/honeysql, uploaded to jitpack.
I'm not sure if it is some kind of supply chain attack
But do not use/download this version.
No idea. But it's a) an ancient version of HoneySQL and b) who has jitpack configured as a repo for deps.edn or whatever?
It is pretty bad because if you land in current page of maven, it recommends the jitpack version Not sure if "deps updater" tools may do this too The jitpack version is only a pom with a older clojure version - no jar included.
How on Earth can it think 2.1.818 is "newer" than 2.7.1368?? What's the point of semantic versioning?
I forwarded this thread to the #honeysql channel BTW.
FWIW, that version is from Oct 4, 2021
Oh. Sorry for posting in the wrong channel I am now more confident that someone did a wrong upload - and it is not a supply chain attack (and mvnrepository may have a bug too?!). And other update tools do not recommend the weird version - which is a good thing.
I suspect antq doesn't even check jitpack?
So, I looked at the jitpack docs and it builds things from source, based on a GH URL and release version. It supports Leiningen (and mvn, sbt, gradle) but not the CLI deps.edn / tools.build so it's not useful to anyone for it to but up there... but also probably harmless?
2.1.818 is the first version that builds correctly on jitpack
and i have to wonder if mvn sorts jitpack over clojars for determining "latest"
Not mvn itself, but mvnrepository the website/app -- I don't even know what that's for, except "more information" across multiple repos?
I never use http://mvnrepository.com -- @souenzzo could you elaborate on how you found this?
mvnrepository used to be my standard (and trusted) way of checking for updates and versions - including renaming of artifacts and repository changes (that large Java projects do more often than I would like) I'm going to start being more suspicious of tools (like mvnrepository) before assuming something is wrong - Sorry for the panic PS1: Perhaps I became more frightened after reading dozens of articles recently about supply chain attacks. PS2: I sent an email reporting the bug to mvnrepository team