Menu
I'd like to, given a pom.xml file, expand the transitive dependencies, and for each direct and transitive dependency, list which repositories maven is fetching it from.
With the maven-dependency-plugin I can do
mvn dependency:tree to get the transitive dependency tree, but no repository info is included
mvn dependency:list-repositories to get a list of repositories used, but no dependency info is included
mvn dependency:get -Dartifact=<...> to fetch a single artifact and transitive dependencies, but it seems to fetch a lot more than needed and I can't tell which I actually care about.
916
Maven's local repository is a directory on the local machine that stores all the project artifacts. When we execute a Maven build, Maven automatically downloads all the dependency jars into the local repository. Usually, this directory is named . m2.
Artifacts in maven are identified by a coordinate system of groupId, artifactId, and version. Maven uses the groupId , artifactId , and version to identify dependencies (usually other jar files) needed to build and run your code.
In the POM, right-click anywhere in the editor to open the context menu and select Maven | Show Dependencies. Alternatively, press Ctrl+Alt+Shift+U or Ctrl+Alt+U . In the diagram window, IntelliJ IDEA displays the sub project and all its dependencies including the transitive ones.
I don't think that there is a plugin that does that. And I think the reason for that is that no one is really interested in that kind of information.
Consider having dependencies to released artifacts. Once they are downloaded to your local repo, Maven won't bother downloading them again (unless you delete them); all future resolutions to that artifact will be done through the local repo.
Sure, the file _remote.repositories in your local repo's artifact directory will contain the symbolical name of the repo it was downloaded from, whose actual URL might or might not be same over time.
The philosophy being this is that Maven coordinates are global. For example, a given release of (say) commons-codec:commons-codec:1.10 must be the same regardless of where it came from. Otherwise, if certain releases were to be different depending on where they came from, then everything would fall apart. Because of this, no one cares where dependency came from.
Snapshot dependencies are a different story, but you shouldn't rely on them for too long because you don't want to release your stuff based on dependencies that might change in the future. Usually, you are in control of where you want your snapshot dependencies to come from, so the whole point of finding out where your dependencies come from becomes futile.
Sometimes though, transitive dependencies will include POMs that specify additional repos for Maven to fetch sub-dependencies from. And sometimes these repositories are decommisioned or discontinued, breaking the dependency chain. In that case, you might want to block or reroute them in your settings.xml. A simple scan through all the POMs in your local repo is usually enough to sniff them out:
# Linux/Unix
%> find <your local repo> -name '*.pom' | xargs grep -c '<repositories>' | grep -v ':0'
This, together with mvn dependency:tree, should be enough to find out if a transitive dependency is dependent on a misbehaving repository.
88
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
