-
Bug
-
Resolution: Unresolved
-
Major
Steps to reproduce
- Install the latest Jenkins weekly (at the time of this writing, 2.346).
- Go through the setup wizard, installing all suggested plugins.
- Install some of the plugins on the first page of available plugins. I installed Blue Ocean, Maven Integration, Docker Pipeline, Subversion, Config File Provider, jnr-posix API, Role-Based Authentication Strategy, Publish Over SSH, Jira, Pipeline Utility Steps, Copy Artifact, Rebuilder, Slack Notification, AnsiColor, Job DSL, and Amazon Web Services SDK.
- Go to the plugin manager and look at the available plugins.
Expected results
Non-deprecated plugins are offered before deprecated plugins.
Actual results
Pipeline: Declarative Agent API and Icon Shim (which are both deprecated) and Extended Choice Parameter (which has security vulnerabilities) are offered before non-deprecated plugins without security vulnerabilities. This seems bad, as the order in which plugins are presented to users is an implicit sign of endorsement. We should not be implicitly endorsing deprecated or vulnerable plugins by offering them to users before non-deprecated and non-vulnerable plugins.
Maybe it would also make sense to add an additional checkbox as filter criteria ("( ) show deprecated and vulnerable plugins", unchecked by default) so that deprecated plugins are normally never shown even if someone enters a search text that matches a deprecated plugin.