Avoid unnecessarily accessing snapshot repositories #5709
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change avoids unnecessarily accessing the configured repository.apache.org/snapshots snapshot repository. To do this, it affixes a specific version from the range in one of the transitive dependencies (in this case, bouncycastle), so Maven does not query all of the configured repositories for the versions they contain. The apparent behavior of Maven's dependency resolution is to query all repositories, whether they are configured for snapshots or releases, in order to resolve dependency ranges. However, this [may be a bug in Maven](apache/maven-enforcer#906) It is important to avoid unnecessary accesses to repository.apache.org/snapshots, because Apache's INFRA team blocks network clients for too many accesses to repository.apache.org that result in 404s. Any attempt to resolve bouncycastle dependencies from repository.apache.org is certainly going to fail with 404 responses, because bouncycastle is not an Apache project that publishes anything to this server. So, the version range in that dependency, is likely to contribute to getting Apache projects blocked who use the Apache parent POM, because the Apache parent POM adds the repository.apache.org/snapshots as a snapshot repository by default. The workaround in this commit sets a specific version that is *not* a SNAPSHOT version, so the snapshot repository should not be used. Unfortunately, it appears this will need to be done for *any* version ranges anywhere in our project's dependency tree. This commit also adds an enforcer rule to detect new version ranges showing up in the dependency tree.
This was referenced Jul 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change avoids unnecessarily accessing the configured repository.apache.org/snapshots snapshot repository. To do this, it affixes a specific version from the range in one of the transitive dependencies (in this case, bouncycastle), so Maven does not query all of the configured repositories for the versions they contain. The apparent behavior of Maven's dependency resolution is to query all repositories, whether they are configured for snapshots or releases, in order to resolve dependency ranges. However, this may be a bug in Maven
It is important to avoid unnecessary accesses to
repository.apache.org/snapshots, because Apache's INFRA team blocks network clients for too many accesses to repository.apache.org that result in 404s. Any attempt to resolve bouncycastle dependencies from repository.apache.org is certainly going to fail with 404 responses, because bouncycastle is not an Apache project that publishes anything to this server. So, the version range in that dependency, is likely to contribute to getting Apache projects blocked who use the Apache parent POM, because the Apache parent POM adds the
repository.apache.org/snapshots as a snapshot repository by default.
The workaround in this commit sets a specific version that is not a SNAPSHOT version, so the snapshot repository should not be used. Unfortunately, it appears this will need to be done for any version ranges anywhere in our project's dependency tree.
This commit also adds an enforcer rule to detect new version ranges showing up in the dependency tree.