maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Delany <>
Subject 3.8.2 transitive dependency insecure repo
Date Sat, 14 Aug 2021 07:25:47 GMT
The new org.apache.maven:maven-core:3.8.2 has a transitive dependency
org.jboss.weld:weld-parent:pom:6, but its source repository is

When I run flatten-plugin with <flattenDependencyMode> set to "all", it
fails to resolve.

[ERROR] Failed to execute goal
org.codehaus.mojo:flatten-maven-plugin:1.2.7:flatten (default-cli) on
project dummy: failed to create a clean pom: unable to create flattened
dependencies: caught exception when flattening dependencies: Failed to read
artifact descriptor for javax.enterprise:cdi-api::1.0: Could not transfer
artifact org.jboss.weld:weld-parent:pom:6 from/to
maven-default-http-blocker ( Blocked mirror for
repositories: [ (,
default, releases), (,
default, snapshots), (, default,
snapshots)] -> [Help 1]

Shouldn't the maven-core dependency tree at least not contradict itself?


<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="" xmlns:xsi="" xsi:schemaLocation="">

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message