Im confused still. Why doesn't remote repository filtering (available since maven 3.9) does not fit here?
On Wed, Feb 11, 2026, 16:22 Richard Gomez <[email protected]> wrote: > > I can certainly see a use case for that. OTOH it would be very complex, > and if no one's asked for it before now maybe it doesn't actually solve a > significant real world problem? > > This is a common use case in enterprise software: there's a billion dollar > industry of solutions that resolve certain groupIds/artifactIds against > specific repositories to avoid supply-chain attacks (e.g., dependency > confusion). > > I would love to have first-class support for repository-specific > dependencies in pom.xml, similar to Gemfile ( > https://bundler.io/man/gemfile.5.html#SOURCE) > > On Wed, Feb 11, 2026 at 9:15 AM Elliotte Rusty Harold <[email protected]> > wrote: > > > On Wed, Feb 11, 2026 at 1:27 PM Yeikel Santana <[email protected]> wrote: > > > > > > Currently, Maven resolves artifacts from repositories in order and does > > not allow specifying a repository per dependency. > > > > > > > > > In scenarios where the same artifact coordinates may exist in multiple > > repositories, there does not appear to be a built-in way to enforce that > a > > specific dependency be resolved only from a specific repository. > > > > > > > > > Has per-dependency repository resolution ever been discussed or > > considered in Maven’s design? Not as a default but as a feature that > could > > be enabled > > > > > > > I can certainly see a use case for that. OTOH it would be very > > complex, and if no one's asked for it before now maybe it doesn't > > actually solve a significant real world problem? I also worry that it > > might cut against Maven's design and architecture. Currently there's a > > pretty deep assumption baked into Maven that a GAV uniquely identifies > > an artifact no matter which repository it happens to come from. This > > is important for local mirrors and similar infrastructure. > > > > I don't expect this would be a feature that could be enabled. If it > > were done at all, it would likely be an extra element in pom.xml that > > Maven 4.x and later would simply recognize if present. > > > > -- > > Elliotte Rusty Harold > > [email protected] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > // Mantas
