Overrides for central repository being ignored during <scope>import</scope> resolution

[gagarski]

Affected version

3.9.11

Bug description

Initially I posted that as a question in StackOverflow, but while I was collecting the evidence, I was more convinced that this is a bug.

Please find below a copy of my SO question, so you don't have to follow the links:

=======

I have the following Maven settings.xml to make Maven go to my local Maven Central mirror (this is a standard way recommended by JFrog Artifactory):

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">

    <profiles>
        <profile>
            <id>artifactory</id>
            <repositories>
                <repository>
                    <id>central</id>
                    <name>mvn-libs-release</name>
                    <snapshots>
                        <enabled>false</enabled>
                    </snapshots>
                    <url>https://artifactory.example.com/artifactory/mvn-libs-release</url>
                </repository>
                <repository>
                    <id>snapshots</id>
                    <name>mvn-libs-snapshot</name>
                    <snapshots/>
                    <url>https://artifactory.example.com/artifactory/mvn-libs-snapshot</url>
                </repository>
            </repositories>
            <pluginRepositories>
                <pluginRepository>
                    <id>central</id>
                    <name>mvn-plugins-release</name>
                    <snapshots>
                        <enabled>false</enabled>
                    </snapshots>
                    <url>https://artifactory.example.com/artifactory/mvn-plugins-release</url>
                </pluginRepository>
                <pluginRepository>
                    <id>snapshots</id>
                    <name>mvn-plugins-snapshot</name>
                    <snapshots/>
                    <url>https://artifactory.example.com/artifactory/mvn-plugins-snapshot</url>
                </pluginRepository>
            </pluginRepositories>
        </profile>
    </profiles>

    <activeProfiles>
        <activeProfile>artifactory</activeProfile>
    </activeProfiles>
</settings>

And here is my simplest-repro POM, having basically one entry in dependency management and nothing else:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.example</groupId>
    <artifactId>untitled</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>pom</packaging>



    <dependencyManagement>
        <dependencies>
                <dependency>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-dependencies</artifactId>
                    <version>3.5.6</version>
                    <scope>import</scope>
                    <type>pom</type>
                </dependency>
        </dependencies>
    </dependencyManagement>

</project>

Then I run mvn -X -N clean install and see the following entries:

[DEBUG] Creating adapter using nameMapper 'gav' and factory 'rwlock-local'
[DEBUG] Resolving artifact org.springframework.boot:spring-boot-dependencies:pom:3.5.6 from [central (https://artifactory.example.com/artifactory/mvn-libs-release, default, releases), snapshots (https://artifactory.example.com/artifactory/mvn-libs-snapshot, default, releases+snapshots)]
[DEBUG] Resolving artifact org.springframework.boot:spring-boot-dependencies:pom:3.5.6 from [central (https://artifactory.example.com/artifactory/mvn-libs-release, default, releases), snapshots (https://artifactory.example.com/artifactory/mvn-libs-snapshot, default, releases+snapshots)]
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://artifactory.example.com/artifactory/mvn-libs-release
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://artifactory.example.com/artifactory/mvn-libs-release with username=kg@example.com, password=***
Downloading from central: https://artifactory.example.com/artifactory/mvn-libs-release/org/springframework/boot/spring-boot-dependencies/3.5.6/spring-boot-dependencies-3.5.6.pom
Progress (1): spring-boot-dependencies-3.5.6.pom (7.6/96 kB)
Progress (1): spring-boot-dependencies-3.5.6.pom (16/96 kB) 
Progress (1): spring-boot-dependencies-3.5.6.pom (32/96 kB)
Progress (1): spring-boot-dependencies-3.5.6.pom (49/96 kB)
Progress (1): spring-boot-dependencies-3.5.6.pom (65/96 kB)
Progress (1): spring-boot-dependencies-3.5.6.pom (81/96 kB)
Progress (1): spring-boot-dependencies-3.5.6.pom (96 kB)   
                                                        
Downloaded from central: https://artifactory.example.com/artifactory/mvn-libs-release/org/springframework/boot/spring-boot-dependencies/3.5.6/spring-boot-dependencies-3.5.6.pom (96 kB at 222 kB/s)
[DEBUG] Writing tracking file 'D:\Dev\.m2\repository\org\springframework\boot\spring-boot-dependencies\3.5.6\_remote.repositories'
[DEBUG] Writing tracking file 'D:\Dev\.m2\repository\org\springframework\boot\spring-boot-dependencies\3.5.6\spring-boot-dependencies-3.5.6.pom.lastUpdated'
[DEBUG] Resolving artifact org.apache.activemq:activemq-bom:pom:6.1.7 from [snapshots (https://artifactory.example.com/artifactory/mvn-libs-snapshot, default, releases+snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[DEBUG] Resolving artifact org.apache.activemq:activemq-bom:pom:6.1.7 from [snapshots (https://artifactory.example.com/artifactory/mvn-libs-snapshot, default, releases+snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://artifactory.example.com/artifactory/mvn-libs-snapshot
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://artifactory.example.com/artifactory/mvn-libs-snapshot
Downloading from snapshots: https://artifactory.example.com/artifactory/mvn-libs-snapshot/org/apache/activemq/activemq-bom/6.1.7/activemq-bom-6.1.7.pom
[DEBUG] Writing tracking file 'D:\Dev\.m2\repository\org\apache\activemq\activemq-bom\6.1.7\activemq-bom-6.1.7.pom.lastUpdated'
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2 with username=kg@example.com, password=*** via proxy.example.com:8080
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/activemq/activemq-bom/6.1.7/activemq-bom-6.1.7.pom
Progress (1): activemq-bom-6.1.7.pom (799 B)
Progress (1): activemq-bom-6.1.7.pom (1.9 kB)
Progress (1): activemq-bom-6.1.7.pom (7.9 kB)
                                             
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/activemq/activemq-bom/6.1.7/activemq-bom-6.1.7.pom (7.9 kB at 53 kB/s)

As you can see, for some reason, Maven falls back to https://repo.maven.apache.org/maven2 for no good reason.

Removing the import makes repositories work as expected (even though in a given example there is nothing to download, downloading works as expected for any added dependencies).

I understand that spring-boot-dependencies is quite a big POM to import, but I couldn't come with a simpler example. Copying all <dependencyManagement> section (which itself has some transitive imports) to my POM did not reproduce the issue. Even mvn clean installing the spring-boot-dependencies POM itself does not reproduce the issue.

I cannot see any repositories configuration in spring-boot-dependencies (having them there and being a reason for that behavior would be weird but would explain it at least to some extent).

Here is what I see in mvn help:effective-pom (no trace of resurrected maven.apache.org either):

  <repositories>
    <repository>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <name>mvn-libs-release</name>
      <url>https://artifactory.example.com/artifactory/mvn-libs-release</url>
    </repository>
    <repository>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <id>snapshots</id>
      <name>mvn-libs-snapshot</name>
      <url>https://artifactory.example.com/artifactory/mvn-libs-snapshot</url>
    </repository>
  </repositories>
  <pluginRepositories>
    <pluginRepository>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <name>mvn-plugins-release</name>
      <url>https://artifactory.example.com/artifactory/mvn-plugins-release</url>
    </pluginRepository>
    <pluginRepository>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <id>snapshots</id>
      <name>mvn-plugins-snapshot</name>
      <url>https://artifactory.example.com/artifactory/mvn-plugins-snapshot</url>
    </pluginRepository>
  </pluginRepositories>

I managed to reproduce it on Maven 3.8.9 and 3.9.11.

Is there any explanation and workaround for such a behavior?

[gagarski]

Given the Tragedy of the Commons, it's pretty weird that Maven does this behavior in quite a common scenarios (importing spring-boot-dependencies is a recommended way by Spring Boot).

[cstamas]

Maven is all about (various) scopes 😄
Hint: try it with Maven 4.0.0-rc-5.

The important difference between Maven 3 and Maven 4:

3.9.11:

[cstamas@angeleyes ~]$ mvn -V toolbox:gav-effective-model -Dgav=org.springframework.boot:spring-boot-dependencies:3.5.6 | grep -A 2 -B 2 central
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <name>Central Repository</name>
      <url>https://repo.maven.apache.org/maven2</url>
--
        <enabled>false</enabled>
      </snapshots>
      <id>central</id>
      <name>Central Repository</name>
      <url>https://repo.maven.apache.org/maven2</url>
[cstamas@angeleyes ~]$ 

4.0.0-rc-5:

[cstamas@angeleyes ~]$ mvn -V toolbox:gav-effective-model -Dgav=org.springframework.boot:spring-boot-dependencies:3.5.6 | grep -A 2 -B 2 central
[INFO] 
[INFO] Scanning for projects...
[INFO] Loaded 21611 auto-discovered prefixes for remote repository central (prefixes-central.txt)
[INFO] 
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[cstamas@angeleyes ~]$ 

All this happens due "super POM" of Maven 3.x:
https://github.com/apache/maven/blob/f0ecd472a1d11b16916d3e9be8b5b09f7ebd6465/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml

Compare it with Maven 4 "super POM":
https://github.com/apache/maven/blob/a336a2c579ac62958f2a9a3e3853637c13c4e03c/impl/maven-impl/src/main/resources/org/apache/maven/model/pom-4.0.0.xml

Hint: there is no repository stanza in Maven 4 superpom.
Long outstanding issue (created against 3.6.3 I guess): #8494

So, yes, this was a "feature" of Maven 3, fixed finally in Maven 4 among many other things.

But, in your case and with Maven 3 "usual practice" is to mirror and not redefine (exactly due this issue) the central:
https://maven.apache.org/guides/mini/guide-mirror-settings.html

[gagarski]

I'd stick with Maven 3, at least until Maven 4 general availability.

But, in your case and with Maven 3 "usual practice" is to mirror and not redefine (exactly due this issue) the central

I've considered this, but how do I mirror pluginRepository? Even though, it seems like they are not affected by this issue in that case, it would be good to have it consistent.

[cstamas]

In your case, it is not the "how to mirror plugin repository" the question, but rather "how to mirror release and snapshots" separately... (mirror will grab ANY repository that matches expression in mirrorOf)

[gagarski]

In your case, it is not the "how to mirror plugin repository" the question, but rather "how to mirror release and snapshots" separately... (mirror will grab ANY repository that matches expression in mirrorOf)

But I can have separate <mirrorOf>central</mirrorOf> and <mirrorOf>snapshots</mirrorOf>, right? Still, what about plugin repositories? Can I define mirrors for them (apparently, they have a namespace which can have clashing names with regular repositories.

[cstamas]

I'd stick with Maven 3, at least until Maven 4 general availability.

Still, we all would be very grateful if you'd try and just provide us feedback... am not telling you to "move your shop to Maven 4".

Read the doco: https://maven.apache.org/guides/mini/guide-mirror-settings.html

Use external:* = everything not on the localhost and not file based or alike?

And my stance on MRM groups is here: https://maveniverse.eu/blog/2025/11/09/why-are-mrm-group-repositories-bad/

[gagarski]

Still, we all would be very grateful if you'd try and just provide us feedback... am not telling you to "move your shop to Maven 4".

I'll try that and will give you some feedback. Though, there still a long way to go to actually migrate.

Use external:* = everything not on the localhost and not file based or alike?

I'm still not getting what you're saying here. If I define <mirrorOf>central</mirrorOf>, it will solve my issue. For snapshots I don't even have anything to mirror (according to super-POM), so I can just define snapshots repo the old way.

Still, central <pluginRepository> is a different one, so how do I define a mirror for it?

And my stance on MRM groups is here: https://maveniverse.eu/blog/2025/11/09/why-are-mrm-group-repositories-bad/

Not sure, why it is relevant here, as you can see, "our shop" has four different repos, which I've tried to configure in my settings (according to MRM suggestion).