[ https://issues.apache.org/jira/browse/MRESOLVER-270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582445#comment-17582445 ]
Henning Schmiedehausen commented on MRESOLVER-270: -------------------------------------------------- see https://github.com/apache/maven-integration-testing/pull/189 > Maven resolver makes bad repository choices when resolving version ranges > ------------------------------------------------------------------------- > > Key: MRESOLVER-270 > URL: https://issues.apache.org/jira/browse/MRESOLVER-270 > Project: Maven Resolver > Issue Type: Bug > Components: Resolver > Affects Versions: 1.6.3 > Reporter: Henning Schmiedehausen > Priority: Major > > This also affects the maven-resolver-provider which is part of Maven core. I > still file the bug here because it is easier to explain. > I have a repository setup like this: > {quote} <profiles> > <profile> > <id>repo</id> > <repositories> > <repository> > <id>snapshots</id> > <url>[https://.../maven-public/]</url> > <releases> > <enabled>false</enabled> > <updatePolicy>never</updatePolicy> > <checksumPolicy>warn</checksumPolicy> > </releases> > <snapshots> > <enabled>true</enabled> > <updatePolicy>interval:180</updatePolicy> > <checksumPolicy>fail</checksumPolicy> > </snapshots> > <layout>default</layout> > </repository> > <repository> > <id>central</id> > <url>[https://...|https://.../]/maven-public/</url> > <releases> > <enabled>true</enabled> > <updatePolicy>never</updatePolicy> > <checksumPolicy>warn</checksumPolicy> > </releases> > <snapshots> > <enabled>false</enabled> > <updatePolicy>interval:180</updatePolicy> > <checksumPolicy>fail</checksumPolicy> > </snapshots> > <layout>default</layout> > </repository> > </repositories> > {quote} > > Maven is trying to resolve the metadata from this component: > [https://repo1.maven.org/maven2/com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/20220608.1/owasp-java-html-sanitizer-20220608.1.pom] > which contains (after resolution): > > {quote}<dependency> > <groupId>com.google.code.findbugs</groupId> > <artifactId>jsr305</artifactId> > <version>[2.0.1,)</version> > <scope>provided</scope> > </dependency> > {quote} > {quote}<dependency> > <groupId>com.google.code.findbugs</groupId> > <artifactId>annotations</artifactId> > <version>[2.0.1,)</version> > <scope>provided</scope> > </dependency> > > {quote} > > what happens now is that maven uses the DefaultVersionRangeResolver, which > contains this line: > {quote}{{Metadata metadata = new DefaultMetadata( > request.getArtifact().getGroupId(), request.getArtifact().getArtifactId(), > MAVEN_METADATA_XML, Metadata.Nature.RELEASE_OR_SNAPSHOT );}} > {quote} > So it tries to resolve the dependency range against all the repositories. > By searching for "Nature.RELEASE_OR_SNAPSHOT", both configured repositories > (snapshot and central) are eligible and selected. And by the order, the > snapshot repository is chosen first. > Because both remote repositories map to the same local repository, the > following version check in lines 210 - 231 iterates over the local versions > and finds the matching version in the "snapshots" repository. > All of this code is called from the ProjectDependenciesResolver (which is > injected into a mojo as a component), when calling resolve() on a > DependencyResolutionRequest for this specific component > (com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1). > It results in the following (slightly obscure) error message: > {quote}Could not resolve dependencies for project > com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:bundle:20220608.1: > The following artifacts could not be resolved: > com.google.code.findbugs:jsr305:jar:3.0.2, > com.google.code.findbugs:annotations:jar:3.0.1u2: Could not find artifact > com.google.code.findbugs:jsr305:jar:3.0.2 > {quote} > However, that artifact is clearly present both in the local and remote > repository. > > What happens is that the ProjectDependenciesResolver tries to resolve the > (release) artifact om.google.code.findbugs:jsr305:jar:3.0.2 against the > resolved repository (which is a snapshot only repository) and that repository > rightfully refuses to resolve it. Hence the error message. > I can fix this (which confirms this behavior) by removing the snapshot > repository from the maven_settings.xml and enable snapshots for the "central" > repository. > > Expected resolution: The DefaultVersionRangeResolver will not select the > "first repository that contains the version" but looks at snapshot/release > enabled and choose based on that information. > I might find time to whip up a bug fix. -- This message was sent by Atlassian Jira (v8.20.10#820010)