Transient dependencies are not verified.

[ghost]

Correct me if I'm wrong, but I don't think the pom/transient dependencies are verified. A malicious repo could edit a pom, add a new transient dependency without triggering a verification failure. The newly created dependency will not exist in the dependencyVerification block and therefore not be checked.

The pom (or some transient dependency list) would need to also be verified, not just the jar files.