hi, community. If I want to develop based on spring core module to adapt new ai big model, how pom.xml is selected.
Docs:
<repositories>
<repository>
<id>spring-milestones</id>
<name>Spring Milestones</name>
<url>https://repo.spring.io/milestone</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
<repository>
<id>spring-snapshots</id>
<name>Spring Snapshots</name>
<url>https://repo.spring.io/snapshot</url>
<releases>
<enabled>false</enabled>
</releases>
</repository>
</repositories>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-bom</artifactId>
<version>0.8.1-SNAPSHOT</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Maven repo: https://mvnrepository.com/artifact/io DOT springboot DOT ai/spring-ai-core/1.0.0
<dependency>
<groupId>io DOT springboot DOT ai</groupId>
<artifactId>spring-ai-core</artifactId>
<version>1.0.0</version>
</dependency>
Which one should I choose and is there any difference between them?
Comment From: yuluo-yx
Community Issue Questions go unanswered? There's already a backlog of questions. @tzolov
Comment From: anbusampath
<dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.ai</groupId> <artifactId>spring-ai-bom</artifactId> <version>1.0.0-SNAPSHOT</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
you should continue to use above one.
Comment From: yuluo-yx
This looks like some accidental publish.
got it, thanks
Comment From: tzolov
@yuluo-yx , @anbusampath
This looks like a package squatting attack!
The io.springboot.ai is not valid and likely malicious domain.
The official Spring domain is org.springframework.ai and the latest version is 1.0.0-SNAPSHOT:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.ai</groupId>
<artifactId>spring-ai-bom</artifactId>
<version>1.0.0-SNAPSHOT</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Comment From: tzolov
And here is the official documentation with the currently supported versions and related docs: https://spring.io/projects/spring-ai#learn
Mind that 0.8.1 is a milestone (so not available on Maven Central).
Comment From: yuluo-yx
@yuluo-yx , @anbusampath
This looks like a package squatting attack!
The io.springboot.ai is not valid and likely malicious domain.
The official Spring domain is
org.springframework.aiand the latest version is1.0.0-SNAPSHOT:
<dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.ai</groupId> <artifactId>spring-ai-bom</artifactId> <version>1.0.0-SNAPSHOT</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
got it. IMO, if indeed there is no relevant release. Something should be done officially, as the github address is the same as the project address, and some people may introduce the wrong package due to carelessness.
Comment From: tzolov
Thanks for raising this @yuluo-yx. We're not aware of it and will do our best to deal it.
From what I can see the springboot DOT io is Chinese portal. Wonder how popular is it and if the owners are involved or at least aware of the attack.
Comment From: XhstormR
I also encountered this problem. I was using the wrong dependency package 😂:
// not official do not use
implementation("io DOT springboot DOT ai:spring-ai-azure-openai-spring-boot-starter:1.0.0")
Comment From: yuluo-yx
Thanks for raising this @yuluo-yx. We're not aware of it and will do our best to deal it. From what I can see the
springboot DOT iois Chinese portal. Wonder how popular is it and if the owners are involved or at least aware of the attack.
Judging from the usage of the maven repository, there are still a lot of users. Also, the update is close to the time of the 1.0.0 release
@tzolov Maybe we can pin this Issue. Warn more developers .
Comment From: yuluo-yx
I also encountered this problem. I was using the wrong dependency package 😂:
// not official do not use implementation("io DOT springboot DOT ai:spring-ai-azure-openai-spring-boot-starter:1.0.0")
Haha, very unfortunate.
Comment From: dsyer
Judging from the usage of the maven repository, there are still a lot of users.
Those usages are all just within spring-ai (the core jar is used by all the others). So there's not a lot of evidence of usage by the community.
Comment From: digital-shokunin
I'm no expert in this library, but I see no evidence of anything malicious being added yet. Perhaps the idea (if the intent was malevolent) was to sneak a benign change through and later make changes once that trust or namespace was established?
I did some decompiles and found nothing suspicious, but then decided to compare it to the last release.
pkgdiff infiles/spring-ai-core-0.8.1.jar infiles/spring-ai-core-1.0.0.jar.zip
reading packages ...
comparing packages ...
creating report ...
result: CHANGED (1.9%)
report: pkgdiff_reports/spring-ai-core/0.8.1_to_1.0.0.jar/changes_report.html
![Spring-ai [Malicious, Package Squatting Attack] Do Not Use Packages from the](https://www.nineya.com/upload/2025/1/0529123298269421)
![Spring-ai [Malicious, Package Squatting Attack] Do Not Use Packages from the](https://www.nineya.com/upload/2025/1/052915496529262)
![Spring-ai [Malicious, Package Squatting Attack] Do Not Use Packages from the](https://www.nineya.com/upload/2025/1/0529233091325536)
Comment From: digital-shokunin
Copy of the report attached.
Comment From: konczdev
The situation will only get worse. @tzolov
![Spring-ai [Malicious, Package Squatting Attack] Do Not Use Packages from the](https://www.nineya.com/upload/2025/1/0529251639843704)
Comment From: yuluo-yx
The situation will only get worse. @tzolov
It should be fixed soon, as the use of maven is increasing. 🤔
Comment From: dingmeng-xue
@markpollack , FYI.
Comment From: markpollack
The artifact is gone from Maven Central and the links from mvnrepository.com (if you try to click to download the pom or JAR) lead to 403s.