maven-central
Safeguard articles tagged "maven-central" — guides, analysis, and best practices for software supply chain and application security.
5 articles
Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
Maven Central Malicious Publishing Trends 2025
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.
Maven Central dependency confusion and namespace collisio...
How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.
Maven Central Changes in 2024 and Their Security Impact
Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.
Maven Central Supply Chain Risks: Securing the Java Ecosystem
Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust model and dependency resolution create supply chain risks that Java teams must understand.