maven-metadata.xml is broken for some libraries due to a Maven Central issue

[akmhmgc]

Describe the bug

The maven-metadata.xml file for the artifact org.mvnpm:lit on Maven Central include only 2.0.1, even though other versions exist and are downloadable directly via URL.

Because of this, tools like Gradle and Maven cannot resolve dependencies that use version ranges like [3.1.3, 3.2), which results in build failures.

To Reproduce

Steps to reproduce the behavior:

1. Go to https://repo.maven.apache.org/maven2/org/mvnpm/lit/maven-metadata.xml
2. Confirm that only version 2.0.1 is listed
3. Attempt to resolve dependency org.mvnpm:lit:[3.1.3,3.2) using Gradle or Maven
4. See resolution error due to missing version metadata

[phillip-kruger]

Thanks. We migrated to the Publisher API over the weekend. I'll create an issue on central. Thanks

[akmhmgc]

@phillip-kruger Ah, I was supposed to open the issue in Central. Sorry about the mistake, and thank you!

[MayerMan]

In case anyone comes by, I see this issue for my Quarkus project using 3.15.4 LTS.

[maarten-donderwinkel]

We're experiencing this issue as well. Will this issue be updated if/once a solution is found or is there a link to the issue in Central that we can follow?

Thnx in advance for your efforts in resolving this.

[somashaker23]

can someone share the issue link reported in central?

[phillip-kruger]

As a workaround you can add the mvnpm server repo

To use it in your local Maven settings add the following to your settings.xml (typically /home/your-username/.m2/settings.xml)

<settings>
    <profiles>
        <profile>
            <id>mvnpm-repo</id>
            <repositories>
                <repository>
                    <id>central</id>
                    <name>central</name>
                    <url>https://repo.maven.apache.org/maven2</url>
                </repository>
                <repository>
                    <snapshots>
                        <enabled>false</enabled>
                    </snapshots>
                    <id>mvnpm.org</id> 
                    <name>mvnpm</name>
                    <url>https://repo.mvnpm.org/maven2</url>
                </repository>
            </repositories>
        </profile>
    </profiles>

    <activeProfiles>
        <activeProfile>mvnpm-repo</activeProfile>
    </activeProfiles>

</settings>

[somashaker23]

do you have something for gradle build project?

[quotidian-ennui]

@somashaker23 -> this is where the dependency resolution strategy will help

configurations.configureEach {
  resolutionStrategy.cacheChangingModulesFor 60, "minutes"
  resolutionStrategy.dependencySubstitution {
    // avoids conflicts building uber-jars, doesn't matter about the version since it will
    // will be transitively enforced by quarkus-bom (but 1.0.0.Final is the right version).
    substitute module('commons-logging:commons-logging') using module("org.jboss.logging:commons-logging-jboss-logging:1.0.0.Final")
    substitute module('org.mvnpm:lit:[3.1.3,3.2)') using module("org.mvnpm:lit:3.2.1")
  }
}

[brice-laurencin]

do you have something for gradle build project?

repositories {
    mavenCentral()
    mavenLocal()
    // Add this one line ↓
    maven("https://repo.mvnpm.org/maven2")
}

This should do it, but the higher-up workaround would fix your whole local system, not just one project.

Edit: actually none of those workaround seems to fix the issue, but it does find more versions.

[phillip-kruger]

can someone share the issue link reported in central?

I am not sure if this available online, I am in contact via email (central-support@sonatype.com).

[phillip-kruger]

Interesting it seems only lit is broken. See for instance @vaadin/button (https://repo.maven.apache.org/maven2/org/mvnpm/at/vaadin/button/maven-metadata.xml)

I used lit 2.0.1 to test a publish from mvnpm to central (with the new api), since it was not synced. I hope to have this sorted out soon, sorry about this. If you find any other libs please let me know.

[maarten-donderwinkel]

So far the maven-metadata.xml isn't updated, but I'm not sure how long that will take. Can you see if the sync has completed or not?

[somashaker23]

Workaround provided by @quotidian-ennui using dependency resolution strategy for gradle works for me. Thanks @quotidian-ennui

I am also still waiting for the fix from maven central to update the maven-metadata.xml with all versions.

is there any way I can update lit maven-metadata.xml in my internal proxy server(Sonatype Nexus Repository OSS)??

[phillip-kruger]

There is a know issue with central. They will have to manually fix it a.f.a.i.k. There is nothing to sync, all the files are there, but the metadata.xml (that is create by central) is not correct. I am not sure how long it will take...

[hho]

So they did already change something: Now three versions are listed (2.0.1, 2.2.0, 2.4.0), not just one – however, I suspect everyone here has the problem with Quarkus demanding a version in range [3.1.3,3.2) or similar…

EDIT: And now they replaced 2.2.0 with 2.2.4. It seems pretty random…

[phillip-kruger]

No that was me. I released some more old versions from mvnpm to see if new releases trigger a fix. It did not

[phillip-kruger]

Reply from central:

Hello Phillip,

This is a know issue with maven-metadata in Portal, we have a fix planned for it but we haven't got to it yet. We workaround it by fixing the maven-metadata on a case by case basis, but for org.mvnpm I don't think that's a feasible approach, given the volume that's published for it.

I have asked that they just fix lit as I think that is the one causing issues

[brice-laurencin]

It seems to be fixed now <3 https://repo1.maven.org/maven2/org/mvnpm/lit/maven-metadata.xml has all the data Quarkus needs.

Thanks a lot @phillip-kruger and everyone who helped on this!

[akmhmgc]

This issue has been resolved, so I will close it.

[akmhmgc]

When I checked just now, only version 2.2.3 was showing.

[phillip-kruger]

That is not good. I'll let central know.

[phillip-kruger]

Still waiting on Central to reply.

[phillip-kruger]

This is now fixed in central yet again. You can remove your workarounds and try again

[mcwarman]

Thanks for keeping on top of this.

Did they give you any indication as to what caused it to revert?

I'm reluctant to remove our workaround if its going to happen again

[phillip-kruger]

Seems like every new version will cause this. Old versions was syncing that is why it happened again, but all versions are synced now. So it will happen again if lit release a new version before Central fix this properly. I will push them to get this fixed a.s.a.p

[quotidian-ennui]

Thanks for keeping on top of this.

Did they give you any indication as to what caused it to revert?

I'm reluctant to remove our workaround if its going to happen again

org.mvnpm:lit is pinned at 3.2.0 inside the quarkus-bom; so regardless of the version range requested by the dev-ui/vaadin stuffs, it will be using 3.2.0

So, the dependencyResolution 'workaround' is actually transparently downgraded back to 3.2.0 anyway, so all its doing is to fixup the gradle resolution failure.

[ia3andy]

We had to temporarily stop mvnpm release flow to avoid breaking new libraries until this gets fixed by Maven Central.

I am keeping the issue open until we can restart the release flow.

[ia3andy]

Releasing is back on 🚀

Please report any issue!