Tracking down a bad dependency in maven


June 15, 2020

Recently we moved away from our old maven mirror and started to use maven central directly for our builds. When we did this we started to get the error below.

Could not transfer artifact org.openjfx:javafx.base:jar:win:11.0.0-20180629.175051-1 from/to sonatype-oss-snapshots ( Failed to transfer file: Return code is: 502 , ReasonPhrase:Bad Gateway. -> [Help 1]

This error was happening randomly and was not reproducible. We were not able to understand this at first as we do not have a dependency on this version and where not able to find any declaration of this being used by any of our dependencies anywhere in maven.

Finding the chain

As you can imagine the first thing we need to do is track down where this dependency is coming from. As mentioned we could not see where this was coming from in the maven central UI, but this is difficult as we would have to check all our dependencies, then all their dependencies and so on. This can very quickly become a large number of dependencies to check.

Luckily there is a tool in maven for this, the maven-dependency-plugin. This plugin is used for dealing with resolving dependencies, but it also comes with a few useful commands that can be helpful. For our problem we are interested in the dependency:tree goal. This goal will produce a tree that contains a visual representation of the dependencies and where they come from.

When we ran this we found that the javafx was coming from the fasterxml classmate dependency, which was a dependency of the hibernate validator, which we use for bean validation.

+- org.hibernate.validator:hibernate-validator:jar:6.0.11.Final:compile
|  +- javax.validation:validation-api:jar:2.0.1.Final:compile
|  +- org.jboss.logging:jboss-logging:jar:3.1.3.GA:compile
|  +- com.fasterxml:classmate:jar:1.0.0:compile
|  \- org.openjfx:javafx.base:jar:11.0.0-SNAPSHOT:compile
|     +- org.openjfx:javafx.base:jar:linux:11.0.0-SNAPSHOT:compile
|     +- org.openjfx:javafx.base:jar:mac:11.0.0-SNAPSHOT:compile
|     \- org.openjfx:javafx.base:jar:win:11.0.0-SNAPSHOT:compile
+- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile


From the dependency tree above we could see where the dependency was coming from, but how do we fix this? One option is to use the dependency management and set the version to be used for the build. For us however this did not work, as it seems maven will still try to resolve the old version as well. So for us the only option was to update the hibernate validator and hope they had resolved the issue in the new version.

Lucky us

Luckily the next version of the hibernate validator does not use this version of classmate or javafx, and it is only a minor version change. So we safely updated to this version without difficulty.



Experienced developer in various languages, currently a product owner of leading the back end architecture.