Public Maven Repositories: Maven Central and More
Apache Maven, and build tools based off maven, (Leiningen, SBT, Gradle, Ivy, etc.) is in use across software organizations to build software that runs on the Java Virtual Machine (JVM).
If you’re new to Maven please check out our previous article: “What is a Maven Repository?”.
This article describes some of the most commonly used public maven repositories. If you’re looking for Private Maven Repositories, CloudRepo offers those to both companies and individuals. We do offer a 14 day free trial and we’d love to have you join us as a partner.
Public Maven Repositories
Public repositories store software artifacts that are free for the entire world to download. Maven and other build tools connect to public repositories to download dependencies used in software projects.
Dependencies are downloaded to the local maven repository, which defaults to the ~/.m2directory.
Pro Tip: A common misconception is that all artifacts in public repositories are open source and free to use. However, just because an artifact is available to download does not mean that it is open source. Be sure to check the license of any artifacts you use before you build them into your software.
Maven Central
Containing over three million maven artifacts, Maven Central is one of the world’s largest and oldest public repositories. It is the default repository that the maven client contacts when building a maven project. It is considered to be the ‘central’ maven repository, because it is the central location where the majority of public artifacts are stored.
You can Search Maven Central directly, or browse its contents, and download dependencies via an aggregator site such as Maven Repository (you can also search and view information about artifacts, such as licensing and transitive dependencies).
If you prefer a basic listing of all artifacts in central you can access central directly.
Publishing Artifacts to Maven Central
If you want to publish an open source library to Maven Central, follow the guide to uploading artifacts to the Central Repository.
Explicitly Pointing to Maven Central from your POM file.
To explicitly configure maven to use Central from your Project Object Model (POM) file, you may do so by adding the following to your pom.xml:
This is based on the Maven Default Project which defines the Super POM, or default settings, for all Maven builds.
Note: You do not have to explicitly depend on Maven Central as it is the default public repository for all maven builds.
Disabling the Default Maven Central Repository
If you’d like to prevent your builds from using Maven Central at all you can add the following to your pom:
Essentially, we’re overriding the value at repositories | repository | id. By reusing this id in our pom file, we are able to override the value of the corresponding id in the super (default) pom.
Note: If you disable access to Central, please be sure to add an alternative entry to your pom so that you will be able to retrieve artifacts. If all repositories are disabled then you will not be able to download any dependencies and your build will break!
Overriding the Default Public Repository
If you wish to override the default public repository, declare the Maven Central repository in your pom (as in the above section) but change the (in repositories | release | url ) tag to point at your desired private repository.
Other Public Repositories
There are several other public repositories which serve artifacts. These exists for various reasons as some companies like to host their own artifacts rather than use Maven Central.
We list some of the larger ones here, in alphabetical order:
Clojars — The Clojure Repository
If you’re using Clojure to develop your software then you should familiarize yourself with Clojars, which is the repository where most of the Clojure open source libraries are stored.
Clojars is tailored for Clojure developers and will be of use if you use Leiningen or Boot in addition to or in place of Maven to build your software.
Sonatype Releases Repository
Operated by the same team as Maven Central, the Sonatype Releases Repository is the staging repository for all artifacts that eventually make their way into Maven Central. If you publish to Central, you’ll use the Releases repository as part of the process.
In this public repository you’ll find development and snapshot versions of the release artifacts listed in Maven Central. You can browse its contents or search through the Maven Repository Interface.
Spring Repository
Spring is a Java Framework that helps Java engineers accomplish many different tasks related to software development. Spring has many different libraries and dependencies so the owners of Spring have decided to create their own maven repository to host them (in addition to Central).
You can use the Spring Repositories with the following configuration:
Spring Maven Releases
Spring Maven Snapshots
You can enable snapshot by pointing at the Snapshot repo:
Other Public Repositories
As we mentioned before, some organizations like to maintain their own public maven repositories. Here are a list of a few of the larger ones:
Looking for additional public repositories than the ones listed here? Check out the most extensive list of public maven repositories that we’ve been able to find.
Pro Tips and Best Practices When Using a Remote Repository
HTTP vs HTTPS
You should be very cautious when using an external maven repository which has an url that begins with http. HTTP is an inherently insecure protocol and should never be used when there is an HTTPS (SSL) alternative.
Many examples and repositories still offer the http protocol (including Maven Central). It is a good practice to attempt to use https in place of http for these servers. If the server does not support https then you should look to use a repository with stronger security.
Don’t Rely on Public Repositories
While pointing at public repositories is a great way to get started with your software project, it does introduce some risks. Artifacts in public repositories (like Maven Central) are controlled by third parties and may be removed at some point in the future.
While not a common occurrence, having just one dependency removed from Maven Central, or other public repository, can stop your project from building.
Google provides a mirror of Maven Central in case you can’t depend on Central directly or are looking for a missing dependency.
Thank You
Thank you for taking the time to read this article — we hope that it provided value for you in your quest to better understand Maven.
If you have any feedback about this article, or would like to see additional content on related topics, please let us know.
Originally published at www.cloudrepo.io.
