Welcome! Please see the About page for a little more info on how this works.

0 votes
in Tools by

Problem

It's impossible to depend on a deps.edn-based project using git or local dependency when that project uses custom maven repos. Attempts to build classpath for projects depending on such projects will fail.

Repro

I created a minimal repo that illustrates the issue: https://github.com/vlaaad/deps-mvn-repos-repro

It contains 3 deps.edn projects: lib, app-local and app-git.

lib contains a single deps.edn file that defines a custom maven repo and a dependency that pulls from that repo.

app-local contains a single deps.edn file that defines a :local/root dependency on lib.

app-git contains a single deps.edn file that defines a :git/url dependency on lib.

Expected behavior

Running clj -P should succeed in lib, app-local and app-git projects.

Actual behavior

Running clj -P succeeds only in lib and fails in app-local and app-git with the error "Error building classpath. Could not find artifact net.sf.saxon:saxon-dom:jar:9.1.0.8 in central (https://repo1.maven.org/maven2/)"

1 Answer

0 votes
by

My understanding is that this is by design, for security, so you don't depend on some project and have it randomly hijack where dependencies are being pulled in from: you should be able to control which repositories all your dependencies are coming from.

If something you depend on, in turn depends on something coming from a non-standard repo, it's up to you to decide whether that is safe and if so, add that repo explicitly to your own deps.edn in the appropriate order.

That's my read of it. I'll be interested to hear the official answer.

by
That's about right with where we are on it right now but it could change.

Same conceptual issue with: https://clojure.atlassian.net/browse/TDEPS-46
by
Surely I wouldn't want that maven repo to override my dependencies, but pulling those that don't exist in central/clojars would be welcome...
...