The maven-metadata.xml contain <version>5.4.7</version>. More recent versions are missing. This leads to errors in builds.

See * https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/maven-metadata.xml * https://repo1.maven.org/maven2/org/springframework/security/spring-security-crypto/maven-metadata.xml * https://repo1.maven.org/maven2/org/springframework/security/spring-security-oauth2-core/maven-metadata.xml * ...

Comment From: rwinch

Thanks for the report. I have done some preliminary investigation.

For Spring Security 5.5.x we switched to using s01.oss.sonatype.org while older branches are still using oss.sonatype.org. I suspect this may have something with the issue, but I am not certain. I have created a ticket in OSSRH to see if they can help figure out what is happening.

For transparency, for Spring Security 5.5.x we switched to using Gradle's maven-publish plugin from the legacy Maven plugin. At first I thought this may have caused the issue. However, checking out the 5.5.1 tag I'm able to publish successfully and produce a valid maven-metadata.xml file. I thought perhaps the existing maven-metadata.xml file could be causing problems, so I published to a repository that contained all of the artifacts in Central and it still produced the correct maven-metadata.xml using the following:

git clone https://github.com/spring-projects/spring-security.git
cd spring-security
git checkout -b maven-metadata 5.5.1
rm -rf build
mkdir -p build/publications/repos
cd build/publications/repos
wget -e robots=off -r --no-parent --reject "index.html*" https://repo.maven.apache.org/maven2/org/springframework/security/spring-security-core/ --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0" 
./gradlew publishMavenPublicationToLocalRepository
cat build/publications/repos/org/springframework/security/spring-security-core/maven-metadata.xml

Comment From: rwinch

I got a report that this is due to publishing to s01.oss.sonatype.org which doesn't have all of the security artifacts in it. Sonatype has explicitly synched s01 release repository and then triggered an index on the maven-metadata.xml to be regenerated. They said it will take a while. I'm also told that the problem will continue if we don't select one place for publication as the release repositories need to have all the artifacts to ensure that maven-metadata is correct.

Comment From: rwinch

The s01 repository has been synched and maven-metadata.xml has been updated. This should now be resolved. Note that we still have to fix https://github.com/spring-projects/spring-security/issues/10015 to ensure that Central doesn't get into a bad state again.