[
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281497#comment-17281497
]
Herve Boutemy edited comment on MNG-6397 at 2/9/21, 3:20 AM:
-------------------------------------------------------------
just changed link to MNG-6772: the current issue *is caused by* MNG-6772 =
handling of import-scoped dependencies (in dependencyManagement) by Model
Builder does not work the same way as "normal" dependencies by lifecycle
(no judgment at this stage if we should change that nor if we can: it's just a
description of what is happening, that will be shown in future IT through
MNG-7094)
was (Author: hboutemy):
just changed link to MNG-6772: the current issue *is caused by* MNG-6772 =
handling of import-scoped dependencies (in dependencyManagement) by Model
Builder does not work the same way as "normal" dependencies by lifecycle
(no judgment at this stage if we should change that nor if we can: it's just a
description of what is happening)
> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> in pom.xml
> ----------------------------------------------------------------------------------------
>
> Key: MNG-6397
> URL: https://issues.apache.org/jira/browse/MNG-6397
> Project: Maven
> Issue Type: New Feature
> Components: Artifacts and Repositories, Dependencies, POM
> Affects Versions: 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
> Environment: Apache Maven 3.5.0
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home:
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
> Reporter: Alan Czajkowski
> Priority: Critical
> Labels: maven
> Fix For: 4.0.x-candidate, waiting-for-feedback,
> wontfix-candidate, 4.0.0, 4.0.0-alpha-1
>
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot
> access the Internet, I can only access my internal Maven repository inside my
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
> <dependencies>
> ...
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>2.0.0.RELEASE</version>
> </dependency>
> ...
> </dependencies>
> ...
> <repositories>
> ...
> <repository>
> <id>central</id>
> <name>Public</name>
> <url>https://artifacts.example.com/repository/maven/</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> ...
> </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> | +-
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> | | \-
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
> | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> | | \- com.fasterxml:classmate:jar:1.3.1:compile
> | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading:
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend:
> Could not resolve dependencies for project
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed
> to collect dependencies at
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE ->
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read
> artifact descriptor for
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to
> spring-milestone (https://repo.spring.io/milestone): Connection reset ->
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom
> structure a few jumps) you'll eventually get to a parent-pom
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
> <repositories>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>spring-milestone</id>
> <name>Spring Milestone</name>
> <url>https://repo.spring.io/milestone</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> <id>spring-snapshot</id>
> <name>Spring Snapshot</name>
> <url>https://repo.spring.io/snapshot</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>rabbit-milestone</id>
> <name>Rabbit Milestone</name>
> <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
> </repository>
> </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to
> [https://artifacts.example.com/repository/maven/] to try to find the missing
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}}
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}.
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely
> hi-jack the repository list that the build pulls from (this type of
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist
> in [https://artifacts.example.com/repository/maven/] and can be fetched no
> problem if it is explicitly defined in my {{pom.xml}} but defining it
> explicitly would be a work-around and I cannot use this work-around in my
> situation.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
