Public Maven Repositories: Maven Central and More
Read the entire article, or jump ahead to the relevant section.
- Public Maven Repositories: Maven Central and More
- Apache Maven
- Public Maven Repositories
- Maven Central
- Additional Repositories
- Pro Tips and Best Practices When Using a Public Repository
- Thank You
Apache Maven, and derivative build tools such as Leiningen, SBT, Gradle, Ivy, and others, are in use across software organizations to build software that runs on the Java Virtual Machine (JVM).
Apache Maven facilitates the storage and retrieval of dependencies which are stored in maven repositories.
If all this seems new or unfamiliar to you, please check out our previous article: “What is a Maven Repository?” and then rejoin us here.
This article will focus on the most commonly used, publicly available, repositories in use in the industry today.
Public Maven Repositories
As seen in the image above, repositories can be either local or remote. Remote repositories can be either public or private.
A public maven repository stores software artifacts (libraries, binaries, and other dependencies) that are free for the entire world to download, usually without credentials or authentication.
Contrast with private repositories that will require credentials or some sort of non-public access (like network isolation, mutual SSL, etc.).
Pro Tip: A common misconception is to believe that all publicly available maven artifacts are open source and free to use for commercial software development.
There are various levels of permissiveness in software licensing. Be sure to check all license agreement of any artifacts you use before you add then to your project’s dependencies (and especially before you ship any software!).
That warning aside, let’s begin with the largest and most widely used public repository, Maven Central.
Containing over three million software artifacts, the Central Repository is one of the world’s largest and oldest archives of software libraries.
Enabled by default in all maven clients it is widely considered to be the ‘central’ repository of the Java and JVM developer ecosystem.
Accessing Maven Central
You can search Central directly if you know which specific artifacts you wish to access.
If you prefer a more user friendly interface that allows you to browse the contents of Central and hundreds of other repositories, check out an maven repository aggregator such as Maven Repository.
An aggregator will help you will find information on licensing, transitive dependencies, source code links, and more - all across many different public repositories.
If you prefer a basic listing of all artifacts in central you can access central directly.
Accessing Central from the maven command line client requires no additional configuration.
Many developers publish Software Development Kits (SDKs), or other libraries, to Central so that they can be found easily and used with minimal configuration.
If you’d like to find out more details on how to publish your libraries to the world, follow the guide to uploading artifacts to the Central Repository.
Explicitly Using Central from your POM
To explicitly use Central from your Project Object Model (POM) file, you may do so by adding the following to your pom.xml:
This is based on the Maven Default Project which defines the Super POM, or default settings, for all builds performed with Apache Maven.
Note: You do not have to explicitly define this repository as it is the default public repository for all maven builds.
Disabling the Default Repository
You may have a reason or use case that requires you to disable access to the default repository. If you’d like to do this, you can add the following to your pom:
Essentially, we’re overriding the value at
repositories | repository | id and disabling both maven snapshots and releases.
By overriding the
id in the pom file, we are able to override any values that have been set for that id in the super (default) pom.
Note: If you disable access to Central, please be sure to add an entry for an alternative repository to your pom so that you will be able to retrieve artifacts.
If all repositories are disabled then you will not be able to download any dependencies and your build will break!
Overriding the Default Public Repository
Similar to disabling the default repository, if you wish to override the default public repository (and point it somewhere else, for example), declare the repository in your pom and set the
<url> (in the
repositories | release | url ) tag to point at your desired location.
There are several other publicly available repositories available for use today.
These exist for various reasons as some companies like to host their own artifacts in order to control the process and availability of the dependencies they provide.
We list some of the larger ones here, in alphabetical order.
Clojars - The Clojure Repository
Add Clojars to your POM file:
The Sonatype Releases Repository is the staging repository for all artifacts that are published to Maven Central.
If you are trying to distribute your artifacts to the widest possible audience, then you’ll use this repository as part of the process.
You can browse its contents or search through the Maven Repository interface.
Add the Sonatype Releases to your POM file:
The Spring Framework is a Java Framework that helps Java engineers accomplish many different tasks related to software development.
Spring provides so many different libraries and dependencies that the maintainers have decided to create their own maven repository to host them (in addition to Central).
You can use the Spring Repository with the following configuration:
All past and current releases of the Spring Framework can be retrieved from the Spring Releases Repository.
You can use the Releases Repository with the following:
It’s recommended that you use release version of dependencies as frequently as you can.
However, if you need a pre-release version of a Spring library, you can use the Spring Snapshots repository to retrieve them.
Here’s the POM file configuration:
Other Public Repositories
As we mentioned before, some organizations like to maintain their own public maven repositories. Here are a list of a few of the larger ones:
Looking for others beyond the ones listed here?
Pro Tips and Best Practices When Using a Public Repository
HTTP vs HTTPS
You should be very cautious when using an external maven repository which has an url that begins with HTTP.
HTTP is an inherently insecure protocol and should never be used when there is an HTTPS (SSL) alternative.
Caution is required because many examples and repositories still offer the HTTP protocol.
It is a good practice to attempt to use HTTPS in place of HTTP for these servers.
Note: If your repository does not support https then you should look to use a repository with stronger security.
Don’t Rely on Public Repositories
While pointing at public repositories is a great way to get started with your software project, it does introduce some risks.
Artifacts in public repositories are controlled by third parties and may be removed at some point in the future.
While not a common occurrence, having just one dependency removed from a repository can stop your project from building.
Google provides a mirror of Central that may help you find missing dependencies after they are deleted from central but before the mirror updates.
Thank you for taking the time to read this article - we hope that it provided value for you in your quest to better understand Maven.
If you have any feedback about this article, or would like to see additional content on related topics, please let us know.
If you’re looking for Private Maven Repositories, CloudRepo offers those to both companies and individuals.
We offer a 14 day free trialand we’d love to have you join us as a partner.