Leiningen: Tried to use insecure HTTP repository without TLS

Question

I am trying to work through the Enlive tutorial.

When I try lein deps or lein run within the cloned repo, I run into this issue:

Tried to use insecure HTTP repository without TLS.

Answer 1

Recent versions of Leiningen have disabled insecure dependency downloads. From the FAQ:

Q: I got Tried to use insecure HTTP repository without TLS, what is that about?

A: This means your project was configured to download dependencies from a repository that does not use TLS encryption. This is very insecure and exposes you to trivially-executed man-in-the-middle attacks. In the rare event that you don't care about the security of the machines running your project or can ensure that the only http traffic is going out over a trusted network, you can re-enable support for unsafe repositories by putting this in your project.clj file:

;; never do this
(require 'cemerick.pomegranate.aether)
(cemerick.pomegranate.aether/register-wagon-factory!
 "http" #(org.apache.maven.wagon.providers.http.HttpWagon.))

It's also possible you have a dependency which includes a reference to an insecure repository for retrieving its own dependencies. If this happens it is strongly recommended to add an :exclusion and report a bug with the dependency which does this.

Overriding insecure HTTP repository URLs in project.clj:

I'm able to clone enlive-tutorial and do lein deps successfully if I override the following repository URLs in enlive-tutorial/project.clj, simply changing the protocol to HTTPS:

:mirrors {"clojure" {:url "https://build.clojure.org/releases/"}
          "clojure-snapshots" {:url "https://build.clojure.org/snapshots/"}}

It appears Moustache is the transitive dependency that's attempting to pull its dependencies via HTTP.