Documentation says that version ranges should not resolve to SNAPSHOT, but SNAPSHOT repos are still queried (original) (raw)

Affected version

3.6.0

Bug description

The documentation for maven-enforcer-plugin has a link to Version Ranges that says:

Resolution of dependency ranges should not resolve to a snapshot (development version) unless it is included as an explicit boundary.

However, in my observations, ALL configured repositories are queried for available versions, without regard to whether they are configured for snapshots or releases. It is possible that the quoted portion is still correct, and that SNAPSHOT versions are filtered out after retrieval. However, the expected behavior is that if these versions are to be excluded, then the repositories configured for snapshots only, should never be queried at all when resolving version ranges. This may be a bug elsewhere in Maven, but the linked documentation from the maven-enforcer-plugin should, at the very least, document this behavior, if it is expected.

Note: this behavior is particularly problematic, because repository.apache.org is configured as a snapshot repository by default in the Apache parent POM, and INFRA blocks when you access repository.apache.org with too many 404s. This means that too many version ranges anywhere in your dependency tree will get you banned, even if you never depended on any SNAPSHOT versions.