Given a deps.edn
file with a :mvn/repos
entry for a private Maven repository and a dependency on a Maven coordinate that lives in that repository, how can I mitigate the risk of that coordinate getting shadowed / hijacked in one of the default public repositories?
Possible solutions:
- Allow pinning a Maven dependency to a particular repository
- Allow declaring priority order of Maven repositories (in the example scenario, the private repository would then get the highest priority and always be checked before the other ones)
- Allow pinning a Maven dependency to a particular signing key and require it be signed (but looks like
tools.deps
currently doesn't support verifying signed artifacts?)