Build logs "Downloading from shibboleth-repo: .." #27358
Labels
area/build
area/persistence
OBSOLETE, DO NOT USE
area/securepipeline
issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar
kind/enhancement
New feature or request
Milestone
Describe the bug
When building a Quarkus application using the MSSQL JDBC driver, this dependency is pulling in an additional dependency
com.nimbusds:oauth2-oidc-sdk
whose pom.xml defines an additional Maven repository<id>shibboleth-repo</id>
.This additional repository gets activated, as evidenced by the log:
Fetched metadata also actually pollute the local build repository; I'm considering this a problem as we don't want additional repositories being activated behind user's back:
In general it's a bad practice to have such repositories in a pom as it leads to supply chain concerns.
The text was updated successfully, but these errors were encountered: