[
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184877#comment-17184877
]
Alan Czajkowski edited comment on MNG-6397 at 8/26/20, 2:53 AM:
----------------------------------------------------------------
[~michael-o] I'm not sure you fully understand the problem here. The
construction of the dependency graph is very important here. How those
dependencies are downloaded is crucial as well. Spring Boot takes the
_non-standard_ approach of forcing you to reference their parent POM _instead
of_ simply just referencing Spring Boot as a dependency in your project POM. As
a result, the dependency graph is hi-jacked by Spring Boot because the graph
root does not hinge on your project POM as the root of the graph, your project
POM just becomes a child in the puppet-mastery of the Spring Boot parent POM,
and you, as a developer, are no longer in control of the build in the entirety
-- and this scenario of "loss of control" has exposed a certain edge-case bug
in *how* _all_ of the dependencies of the entire dependency graph get
downloaded.
was (Author: alan-czajkowski):
[~michael-o] I'm not sure you fully understand the problem here. The
construction of the dependency graph is very important here. How those
dependencies are downloaded is crucial as well. Spring Boot takes the
_non-standard_ approach of forcing you to reference their parent POM _instead
of_ simply just referencing a dependency. As a result, the dependency graph is
hi-jacked by Spring Boot because the graph root does not hinge on your project
POM as the root of the graph, your project POM just becomes a child in the
puppet-mastery of the Spring Boot parent POM, and you, as a developer, are no
longer in control of the build in the entirety -- and this scenario of "loss of
control" has exposed a certain edge-case bug in *how* _all_ of the dependencies
of the entire dependency graph get downloaded.
> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> in pom.xml
> ----------------------------------------------------------------------------------------
>
> Key: MNG-6397
> URL: https://issues.apache.org/jira/browse/MNG-6397
> Project: Maven
> Issue Type: New Feature
> Components: Artifacts and Repositories, Dependencies, POM
> Affects Versions: 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
> Environment: Apache Maven 3.5.0
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home:
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
> Reporter: Alan Czajkowski
> Priority: Critical
> Labels: maven
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot
> access the Internet, I can only access my internal Maven repository inside my
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
> <dependencies>
> ...
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>2.0.0.RELEASE</version>
> </dependency>
> ...
> </dependencies>
> ...
> <repositories>
> ...
> <repository>
> <id>central</id>
> <name>Public</name>
> <url>https://artifacts.example.com/repository/maven/</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> ...
> </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> | +-
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> | | \-
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
> | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> | | \- com.fasterxml:classmate:jar:1.3.1:compile
> | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading:
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend:
> Could not resolve dependencies for project
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed
> to collect dependencies at
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE ->
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read
> artifact descriptor for
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to
> spring-milestone (https://repo.spring.io/milestone): Connection reset ->
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom
> structure a few jumps) you'll eventually get to a parent-pom
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
> <repositories>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>spring-milestone</id>
> <name>Spring Milestone</name>
> <url>https://repo.spring.io/milestone</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> <id>spring-snapshot</id>
> <name>Spring Snapshot</name>
> <url>https://repo.spring.io/snapshot</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>rabbit-milestone</id>
> <name>Rabbit Milestone</name>
> <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
> </repository>
> </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to
> [https://artifacts.example.com/repository/maven/] to try to find the missing
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}}
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}.
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely
> hi-jack the repository list that the build pulls from (this type of
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist
> in [https://artifacts.example.com/repository/maven/] and can be fetched no
> problem if it is explicitly defined in my {{pom.xml}} but defining it
> explicitly would be a work-around and I cannot use this work-around in my
> situation.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
