Repositories from dependencies' pom.xml are not used

Description

Artifact in non-standard maven repos defined in pom.xml of a dependencies cannot be fetched.

Steps to reproduce
1. Use the attached deps.edn and run clj.

lambdacd defines a custom maven repo in the project.clj and translated into the following pom.xml. Note "gocd" is added.

Is it possible to observe custom maven repositories while traversing transitive dependencies?

Environment

1.9.0.348

Activity

Show:
Alex Miller
April 22, 2021, 6:18 PM

We have grown increasingly uneasy about using transitive dependency repository declarations due to the security concerns for shadowing. The recommended path here is to declare all repositories needed in the parent. At some future point, we may consider some way to allow this with either reporting or guardrails of some kind.

Alex Miller
December 4, 2019, 3:56 AM

Same issue exists with transitive deps.edn projects that declare their own repos.

Martin Klepsch
November 19, 2018, 7:15 PM

Another case to reproduce this

Alex Miller
March 2, 2018, 5:56 AM

Thanks for the report! Definitely fixable.

Assignee

Alex Miller

Reporter

import