3

Suppose I have the following project, a library which declares some 3rd party repository that it needs to use to grab an artifact.

<project ...>
    <groupId>com.mygroup</groupId>
    <artifactId>library</artifactId>
    <version>1.0.0</version>

    <repositories>
        <repository>
            <id>some-id</id>
            <url>https://some.repo.com</url>
        </repository>
    </repositories>

    <dependencies>
        <dependency>
            <groupId>com.thirdparty</groupId>
            <artifactId>used-at-compile-time</artifactId> <!-- like Lombok, say -->
            <version>1.0.0</version>
            <scope>provided</scope> <!-- so, not transitive -->
        </dependency>
    </dependencies>
</project>

Then I have a totally separate project which depends upon that library

<project ...>
    <groupId>com.mygroup</groupId>
    <artifactId>some-app</artifactId>
    <version>2.0.0</version>

    <dependencies>
        <dependency>
            <groupId>com.mygroup</groupId>
            <artifactId>library</artifactId>
            <version>1.0.0</version>
        </dependency>
    </dependencies>
</project>

Does Maven try to include the repository definition in all dependent projects? Will some-app ever try to access https://some.repo.com?

I'd always been under the impression that this didn't happen, but I've started seeing build failures which contract that belief.

It might initially seem convenient if that's how it worked, but what if the repo was internal and was not publicly accessible over the internet? The project which declared it might use it for some compile-time dependencies, like in my example above. If that repo were dragged in, the dependent project might try to access a repository that it can't for some other non-Maven Central dependencies.

So I can see valid reasons for either behaviour, but as far as I can see, the documentation for repositories doesn't say one way or another what happens, and neither does the POM reference.

Michael
  • 41,989
  • 11
  • 82
  • 128
  • 2
    I also _suspect_ that these repositories are read. This is one reason I use a `*` configuration in my `settings.xml`. Furthermore, Artifactory has a standard configuration to eliminate repository definitions from POMs, which also indicates that they are not ignored. – J Fabian Meier Sep 09 '20 at 13:37
  • @JFabianMeier Your comment inspired me to check the [flatten plugin](https://www.mojohaus.org/flatten-maven-plugin/flatten-mojo.html), which TL;DR removes extraneous details. By default it says it does not remove them (though you can configure it to do so), which again seems to support the fact that they're transitive. It would be nice if there were a source which stated that explicitly though. – Michael Sep 09 '20 at 13:42
  • @JFabianMeier true, although that could also indicate to eliminate them from parent poms or from imported poms, for example. Ones that will be more directly "included" in the referring project itself. Although I can't prove it, I would find it quite strange if maven would automatically start to use repositories defined in a pom of a mere dependency, especially of a dependency that isn't even packaged with the deployable. Still... this is one heck of a good question. – Gimby Sep 09 '20 at 13:42
  • Probably a question for Mr. Marbaise or Mr. Scholte. – J Fabian Meier Sep 09 '20 at 13:50
  • I agree... I took the liberty of emailing mr. Scholte about it. Fortune favours the bold. – Gimby Sep 10 '20 at 09:25

1 Answers1

3

Repositories are context aware, in the context of their pom. Dependencies from com.mygroup:library can use the repo's central and some-id. On the other hand, dependencies from com.mygroup:some-app will only use central. When running Maven from the commandline, you'll see the repositories it'll try to download the artifacts from (in case the first one fails, it'll go for the next).

When publishing to Central, there are several requirements. However, based on the last paragraph repositories are not banned, you're advised not to use them.

You might wan't to read this classic article: Why Putting Repositories in your POMs is a Bad Idea

Robert Scholte
  • 11,889
  • 2
  • 35
  • 44
  • By the way, I happened to watch your talk from last year's Devoxx earlier today (after @Gimby commented saying he'd emailed you) and it was excellent! – Michael Sep 10 '20 at 18:38
  • 1
    Thank you for watching. Regarding the docs, it might be documented in one of the Maven books. It is quite advanced and discouraged to use. – Robert Scholte Sep 10 '20 at 18:48
  • No problem. For all its faults, StackOverflow has great presence on google so hopefully this question will be enough to satisfy anyone else who's interested. I guess you can judge by the number of views it ends up getting whether it's something that's worth giving more explanation in the docs or not. – Michael Sep 10 '20 at 19:05