fix: lockfile should not be generated or validate if skip option is true

[massimeddu-sj]

This PR fix the behaviour of the skip option, actually skipping the generation and the validation of the lockfiles, if it is set.

[monperrus]

thanks for the PR.

this seems to me a dangerous option, low integrity and potential attack vector.

I don't remember why we added this option in the first place, and the doc does not convince me.

What about removing this option? WDYT?

[massimeddu-sj]

thanks for the PR.

this seems to me a dangerous option, low integrity and potential attack vector.

I don't remember why we added this option in the first place, and the doc does not convince me.

What about removing this option? WDYT?

I think that the skip option is actually quite standard for maven plugins.

I can share our use case:

We would like to move the maven-lockfile into a parent-project to have a consistent configuration. However for some child projects, we would like to disable the maven-lockfile at all.

This can be done easily using the skip option in this way:

parent pom:

          <artifactId>maven-lockfile</artifactId>
          <version>5.1.3</version>
          <configuration>
            <skip>${lockfile.skip}</skip>
          </configuration>

child pom:

  <properties>
    <lockfile.skip>true</lockfile.skip>
  </properties>

without the skip option, it would be much harder to get this behavior.

Also I don't see a security risk here, as soon as we have sane defaults and clear documentation on this option.

[monperrus]

all right, we proceed then!

thanks for your contribution