I don't know how to hash lock dependencies on the maven project I am packaging properly.
mvn org.nixos.mvn2nix:mvn2nix-maven-plugin:mvn2nix produces a file with sha1s and mavenix uses sha1s too.

This project uses sha512 which are not deprecated like sha1s. However, then the lock plugin is part of the dependencies. If it doesn't do what it's supposed to do then we might not notice because it could decide to not check the dependencies (including itself). Is that right or am I misunderstanding this plugin? If I am right then I consider this a major security concern, potentially bypassing all the dependency checking.