You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependency-Track is configured "out of the box" with several Maven Repositories. One of these is Maven Central, run by Sonatype.
Sonatype has analysed traffic and decided to respond with HTTP 429 errors to individual IP addresses that exceed a request threshold, as documented in their blogpost: Maven Central and the tragedy of the commons
In Dependency-Track, statuses other than 200 are only logged at DEBUG level.... meaning that the administrator would currently have a hard job to even know that they were being impacted by throttling.
Note that many corporate environments will use a NAT gateway, meaning that Maven Central may be seeing traffic from Dependency-Track AND CI/CD servers AND developer IDE as all coming from the same IP. Thus, it is possible that DT might not be be causing throttling... but still be impacted by it.
Proposed Behavior
Change loglevel so that admin can see HTTP 409 errors in log by default.
Possibly adjust logging logic so that log does not get spammed by too many entries
Add a circuit breaker, such that once we hit a certain threshold of 429s, we don't make the problem worse by throwing more and more requests at the system that has given us the 429.
Metrics would be nice to have and should be investigated (being aware of need to avoid extreme memory usage)
Current Behavior
Dependency-Track is configured "out of the box" with several Maven Repositories. One of these is Maven Central, run by Sonatype.
Sonatype has analysed traffic and decided to respond with HTTP 429 errors to individual IP addresses that exceed a request threshold, as documented in their blogpost: Maven Central and the tragedy of the commons
In Dependency-Track, statuses other than 200 are only logged at DEBUG level.... meaning that the administrator would currently have a hard job to even know that they were being impacted by throttling.
Note that many corporate environments will use a NAT gateway, meaning that Maven Central may be seeing traffic from Dependency-Track AND CI/CD servers AND developer IDE as all coming from the same IP. Thus, it is possible that DT might not be be causing throttling... but still be impacted by it.
Proposed Behavior
Checklist
The text was updated successfully, but these errors were encountered: