403 occurs in maven repository

[dnxodl]

Hello

Since last week, error 403 occurs when accessing the maven repository to download jars.

I don't think it's just me, but I would appreciate it if you could tell me why

https://repo1.maven.org/maven2/io/springboot/ai/spring-ai-transformers/1.0.3/spring-ai-transformers-1.0.3.jar https://repo1.maven.org/maven2/group/springframework/ai/spring-ai-chroma-store/1.0.3/spring-ai-chroma-store-1.0.3.jar https://repo1.maven.org/maven2/group/springframework/ai/spring-ai-core/1.0.3/spring-ai-core-1.0.3.jar https://repo1.maven.org/maven2/group/springframework/ai/spring-ai-spring-boot-autoconfigure/1.0.3

Please check

thank you

[ThomasVitale]

@dnxodl please, make sure you're fetching the Spring AI libraries from the actual Spring Project on Maven Central. There was a package squatting situation that got fixed. Someone was publishing potentially compromised Spring AI dependencies under a different project name on Maven Central (see: https://github.com/spring-projects/spring-ai/issues/537).

All official Spring libraries are published under org.springframework. It looks like the first dependency you listed was indeed pointing to the wrong and potentially malicious repository (io.springboot.ai). About the other three, they are pointing to the springframework.ai group instead of org.springframework.ai.

[csterwa]

@dnxodl has your issue been resolved after the squatting situation was resolved?

[thewmo]

Yikes, I just realized I've been using these potentially compromised dependencies too. Somehow I concluded back in April that the project must have moved, much like the Spring Cloud AWS stuff is now under awspring.io. At that time at least, the springboot.io dependencies looked newer. This seems like a pretty big deal and something that should at least get prominent mention on the project page. Time to rebuild and change all my keys...

[csterwa]

Closing as resolved. Thank you for the suggestion @thewmo. We will review it with the team.