Getting “Blocked mirror for repositories” maven error even after adding mirrors

Total
0
Shares

In my past project I had a problem with dependencies starting with http, just like this one Maven Build Failure — DependencyResolutionException . Solution was to add mirrors for the project worked fine. Though now on another project I use the same dependencies, have the same setup and I am still getting the error. Any thoughts?


Solution

Maven now disables all insecure http://* mirrors by default. Here is explanation from maven mainteners:
http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.

The solution (not recommended for security reasons mentioned above) may be to remove <blocked> section from mirror list in default Maven settings.xml file (/usr/share/maven/conf/settings.xml)

Source: StackOverflow.com

Leave a Reply

Your email address will not be published. Required fields are marked *