[ https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet updated MNG-6397: --------------------------------- Fix Version/s: 4.x / Backlog > Maven Transitive Dependency Resolution Does Not Respect Repository Definition > in pom.xml > ---------------------------------------------------------------------------------------- > > Key: MNG-6397 > URL: https://issues.apache.org/jira/browse/MNG-6397 > Project: Maven > Issue Type: New Feature > Components: Artifacts and Repositories, Dependencies, POM > Affects Versions: 3.0, 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3 > Environment: Apache Maven 3.5.0 > (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00) > Maven home: /usr/local/share/maven > Java version: 1.8.0_161, vendor: Oracle Corporation > Java home: > /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac" > Reporter: Alan Czajkowski > Priority: Critical > Labels: maven > Fix For: 4.0.x-candidate, 4.x / Backlog, waiting-for-feedback > > > _*Note:* I am trying to do a build behind a firewall which means I cannot > access the Internet, I can only access my internal Maven repository inside my > network, so:_ > - _grabbing artifacts from https://artifacts.example.com/repository/maven/ > works fine_ > - _grabbing artifacts from anywhere else fails due to firewall restrictions_ > Let's begin: > My {{pom.xml}} has the following: > {code:xml} > ... > <dependencies> > ... > <dependency> > <groupId>org.springframework.boot</groupId> > <artifactId>spring-boot-starter-web</artifactId> > <version>2.0.0.RELEASE</version> > </dependency> > ... > </dependencies> > ... > <repositories> > ... > <repository> > <id>central</id> > <name>Public</name> > <url>https://artifacts.example.com/repository/maven/</url> > <releases> > <enabled>true</enabled> > </releases> > <snapshots> > <enabled>true</enabled> > </snapshots> > </repository> > ... > </repositories> > ... > {code} > The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows: > {code:java} > +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile > | +- > org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile > | | +- > com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile > | | +- > com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile > | | \- > com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile > | +- > org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile > | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile > | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile > | | +- javax.validation:validation-api:jar:2.0.1.Final:compile > | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile > | | \- com.fasterxml:classmate:jar:1.3.1:compile > | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile > {code} > How is it that the build fails as such: > {code:java} > ... > Downloading: > https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom > Downloading: > https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom > Downloading: > https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom > Downloading: > https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom > ... > [ERROR] Failed to execute goal on project maven-multi-module-demo-backend: > Could not resolve dependencies for project > com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed > to collect dependencies at > org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE -> > org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read > artifact descriptor for > org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not > transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to > spring-milestone (https://repo.spring.io/milestone): Connection reset -> > [Help 1] > ... > {code} > when I did not even reference this repo {{spring-milestone > ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}? > When you go down the Spring Boot rabbit hole (go into the > {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom > structure a few jumps) you'll eventually get to a parent-pom > {{spring-boot-dependencies}} with this definition: > {code:xml} > ... > <repositories> > <repository> > <snapshots> > <enabled>false</enabled> > </snapshots> > <id>spring-milestone</id> > <name>Spring Milestone</name> > <url>https://repo.spring.io/milestone</url> > </repository> > <repository> > <snapshots> > <enabled>true</enabled> > </snapshots> > <id>spring-snapshot</id> > <name>Spring Snapshot</name> > <url>https://repo.spring.io/snapshot</url> > </repository> > <repository> > <snapshots> > <enabled>false</enabled> > </snapshots> > <id>rabbit-milestone</id> > <name>Rabbit Milestone</name> > <url>https://dl.bintray.com/rabbitmq/maven-milestones</url> > </repository> > </repositories> > ... > {code} > How is it that the Maven build does _not_ even attempt to reach out to > [https://artifacts.example.com/repository/maven/] to try to find the missing > dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only > and not the one defined in my own {{pom.xml}}? > *This seems like a transitive dependency resolution bug to me as the Maven > build does not even make a single attempt at trying to get {{shrinkwrap-bom}} > from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}. > The (grand)parents of the {{spring-boot-starter-web}} dependency completely > hi-jack the repository list that the build pulls from (this type of > hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist > in [https://artifacts.example.com/repository/maven/] and can be fetched no > problem if it is explicitly defined in my {{pom.xml}} but defining it > explicitly would be a work-around and I cannot use this work-around in my > situation.* -- This message was sent by Atlassian Jira (v8.20.10#820010)