Are Maven repository declarations transitive?

Question

Suppose I have the following project, a library which declares some 3rd party repository that it needs to use to grab an artifact.

<project ...>
    <groupId>com.mygroup</groupId>
    <artifactId>library</artifactId>
    <version>1.0.0</version>

    <repositories>
        <repository>
            <id>some-id</id>
            <url>https://some.repo.com</url>
        </repository>
    </repositories>

    <dependencies>
        <dependency>
            <groupId>com.thirdparty</groupId>
            <artifactId>used-at-compile-time</artifactId> <!-- like Lombok, say -->
            <version>1.0.0</version>
            <scope>provided</scope> <!-- so, not transitive -->
        </dependency>
    </dependencies>
</project>

Then I have a totally separate project which depends upon that library

<project ...>
    <groupId>com.mygroup</groupId>
    <artifactId>some-app</artifactId>
    <version>2.0.0</version>

    <dependencies>
        <dependency>
            <groupId>com.mygroup</groupId>
            <artifactId>library</artifactId>
            <version>1.0.0</version>
        </dependency>
    </dependencies>
</project>

Does Maven try to include the repository definition in all dependent projects? Will some-app ever try to access https://some.repo.com?

I'd always been under the impression that this didn't happen, but I've started seeing build failures which contract that belief.

It might initially seem convenient if that's how it worked, but what if the repo was internal and was not publicly accessible over the internet? The project which declared it might use it for some compile-time dependencies, like in my example above. If that repo were dragged in, the dependent project might try to access a repository that it can't for some other non-Maven Central dependencies.

So I can see valid reasons for either behaviour, but as far as I can see, the documentation for repositories doesn't say one way or another what happens, and neither does the POM reference.

Answer 1

Repositories are context aware, in the context of their pom. Dependencies from com.mygroup:library can use the repo's central and some-id. On the other hand, dependencies from com.mygroup:some-app will only use central. When running Maven from the commandline, you'll see the repositories it'll try to download the artifacts from (in case the first one fails, it'll go for the next).

When publishing to Central, there are several requirements. However, based on the last paragraph repositories are not banned, you're advised not to use them.

You might wan't to read this classic article: Why Putting Repositories in your POMs is a Bad Idea