[
https://issues.apache.org/jira/browse/MPIR-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17907387#comment-17907387
]
ASF GitHub Bot commented on MPIR-473:
-------------------------------------
cpfeiffer opened a new pull request, #92:
URL: https://github.com/apache/maven-project-info-reports-plugin/pull/92
Avoid leaking requests to remote repositories that are not configured for
the project.
- [x] Make sure there is a [JIRA
issue](https://issues.apache.org/jira/browse/MPIR) filed
for the change (usually before you start working on it). Trivial
changes like typos do not
require a JIRA issue. Your pull request should address just this
issue, without
pulling in other changes.
- [x] Each commit in the pull request should have a meaningful subject line
and body.
- [x] Format the pull request title like `[MPIR-XXX] - Fixes bug in
ApproximateQuantiles`,
where you replace `MPIR-XXX` with the appropriate JIRA issue. Best
practice
is to use the JIRA issue title in the pull request title and in the
first line of the
commit message.
- [x] Write a pull request description that is detailed enough to
understand what the pull request does, how, and why.
- [x] Run `mvn clean verify` to make sure basic checks pass. A more
thorough check will
be performed on your pull request automatically.
- [x] You have run the integration tests successfully (`mvn -Prun-its clean
verify`).
- [x] I hereby declare this contribution to be licenced under the [Apache
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor
License Agreement](https://www.apache.org/licenses/icla.pdf).
> Do not leak rquests to outside repositories
> -------------------------------------------
>
> Key: MPIR-473
> URL: https://issues.apache.org/jira/browse/MPIR-473
> Project: Maven Project Info Reports Plugin
> Issue Type: Improvement
> Components: dependencies, dependency-management
> Reporter: Carsten Pfeiffer
> Priority: Major
>
> When using a custom settings.xml or repositories configured in the pom, we
> should make sure to honor this and only ever contact these repositories for
> dependencies.
> See this output where certain repositories even those found in transitive
> dependencies are contacted. Not only does this lead to lots of unneeded
> requests, it also leaks groupIds and artifactIds to these servers.
> {code}
> 11:57:20.026 [DEBUG] Failure to find
> com.example:myartifact:1.19.0-SNAPSHOT/maven-metadata.xml in
> https://maven.java.net/content/repositories/snapshots was cached in the local
> repository, resolution will not be reattempted until the update interval of
> jvnet-nexus-snapshots has elapsed or updates are forced
> 11:57:20.028 [DEBUG] Failure to find
> com.example:myartifact:1.19.0-SNAPSHOT/maven-metadata.xml in
> https://repository.jboss.org/nexus/content/repositories/public/ was cached in
> the local repository, resolution will not be reattempted until the update
> interval of JBOSS has elapsed or updates are forced
> 11:57:20.031 [DEBUG] Failure to find
> com.example:myartifact:1.19.0-SNAPSHOT/maven-metadata.xml in
> https://oss.sonatype.org/content/repositories/snapshots was cached in the
> local repository, resolution will not be reattempted until the update
> interval of sonatype-nexus-snapshots has elapsed or updates are forced
> 11:57:20.033 [DEBUG] Failure to find
> com.example:myartifact:1.19.0-SNAPSHOT/maven-metadata.xml in
> https://oss.sonatype.org/content/repositories/snapshots was cached in the
> local repository, resolution will not be reattempted until the update
> interval of snapshots-repo has elapsed or updates are forced
> 11:57:20.036 [DEBUG] Failure to find
> com.example:myartifact:1.19.0-SNAPSHOT/maven-metadata.xml in
> https://oss.sonatype.org/content/repositories/releases was cached in the
> local repository, resolution will not be reattempted until the update
> interval of sonatype-releases has elapsed or updates are forced
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
