From mobile apps to microservices, from small startups to big enterprises, Gradle helps teams build, automate and deliver better software, faster.

Gradle Community

Any dynamic dependency? Even if it's transitive

are the POM files referenced, either directly from your project or as a transitive dependency, with a dynamic version or a SNAPSHOT?  e.g. latest.release, 1.+, 0.1.0-SNAPSHOT.  Those have a cache time-to-live and will be periodically redownloaded (cache TTL is configurable)

a Gradle build scan (`--scan`) would help identify dependency resolution here.

thats the repo:
```maven {
    url = URI("<https://packages.confluent.io/maven/>")
}```
and the deps are stable kafka libs, no snapshots

another consideration is the order of repositories - each repository will be checked for dependencies in the order declared.  is it perhaps checking for artifacts that don’t exist in that repo (but exist in the next repo)?  in that case, there are content filters to limit what a repo is used to resolve.

in any event, run a scan to understand what is being resolved from where.

ok sorry if thats a stupid question, but can i be sure that the scan does not upload sensitive info?

my guess is that the 3rd party repo is missing some metadata and maven tries to fetch the missing data from maven central

if you are worried about scan uploading sensitive info, start with running with --info and --refresh-dependencies, grepping all the download log entries to understand what is being resolved.

for completion, you can find <https://docs.gradle.com/enterprise/gradle-plugin/#captured_information|here> the list of captured information when publishing a Build Scan. When publishing to <http://scans.gradle.com|scans.gradle.com> you can always delete the Build Scan when you don’t need it anymore and no trace of it will remain in the system.