AFAIK many packages on Maven Central come from github and malware on github is not that uncommon. Also everyone can upload packages to Maven Central.
My question is if a dependency could be dangerous for me when compiling only?
For example I don't know if Maven POM files can contain malicious build commands.
Also I don't know if the java compiler will run some part of the code at compile time.
Thanks in advance...