leiningen

2026-05-10T02:55:25.840669Z

I'm having some trouble installing dependencies. I'm getting tons of errors like the one below, but I can navigate to the dep in my browser. It's not isolated to this single package.

Could not transfer artifact org.eclipse.jetty:jetty-security:jar:12.1.8 from/to central (): Checksum validation failed, no checksums available
C
I have this in my project.clj
:repositories [["central" {:url ""
                             :snapshots false}]
                 ["clojars" {:url ""
                             :snapshots false}]]
I haven't had any issues like this up until today in CI and locally once I nuked my .m2 cache. does anyone know what might be wrong? is this the wrong place to ask?

☝️ 2
MIJOTHY 2026-05-11T14:19:08.770349Z

adjusting :mirrors worked for us. as another datapoint, we also ran into this at $WORK. we only experienced it with lein, across a suite of versions and contexts, but almost entirely on github actions using github-hosted runners (i was able to repro once locally). it makes me wonder if the CDN is doing some rate limiting based on IP ranges - hence failures are observed mostly on CI - and it has some sort of special treatment for tools (e.g. by user agent) but lein isn't blessed to be a part of them? this is all conjecture, i haven't gone very deep into this

2026-05-11T14:48:36.500889Z

That's an interesting theory - tools.deps currently uses the default user-agent ("Aether", see https://clojurians.slack.com/archives/C6QH853H8/p1775731021527679), whereas lein uses "Leiningen/1.12.0 (Java OpenJDK 64-Bit Server VM; Linux 7.0.4-100.fc43.x86_64; amd64)" (on my machine)

2026-05-11T20:58:16.725849Z

I was able to recreate this with a proxy that captured requests, and it is indeed rate limiting that is the issue (429s from maven central). I think tools.deps does better, as it uses a newer maven dependency-resolver version than the latest released lein, which may have better backoff/retry handling. I just tried with a local install of lein from main, and it succeeded (there is an unreleased upgrade to a newer maven dependency-resolver version via pomegranate).

👍 2
2026-05-11T20:58:37.310929Z

@technomancy would it be possible to get a release of lein to get ^ out?

2026-05-10T11:57:45.313669Z

This feels similar to https://clojurians.slack.com/archives/C0H28NMAS/p1778355041089649, and makes me think there is a CDN issue somewhere with central or something. It is working fine for me in the southeastern US; where are you located?

2026-05-10T12:00:16.010569Z

Massachusetts

2026-05-10T12:03:23.723049Z

Are all the errors related to checksum validation, or are there other types?

2026-05-10T12:07:50.128059Z

all the errors are either Checksum validation failed, no checksums available or just Could not find artifact. Most are the latter

2026-05-10T12:25:52.743819Z

If it was a cdn issue, shouldn't deps have similar issues?

2026-05-10T12:30:54.290489Z

I would think so, yes. I'm curious if deps is using the old repo url. Can you try using that in your project.clj? It's https://repo1.maven.org/maven2/ (I believe that is still the default that lein uses if you don't provide a :repositories entry). It is the same infrastructure, but maybe the CDN doesn't share a cache between them (a complete guess)?

2026-05-10T14:30:03.981279Z

the issue persists

2026-05-10T14:43:10.419569Z

What version of lein are you using?

2026-05-10T14:54:03.168689Z

I've tried with 2.10.0 and 2.12.0

2026-05-10T14:58:05.880369Z

Anything in ~/.lein/profiles.clj? Do you have the http_proxy env var set?

2026-05-10T15:01:36.445279Z

no on both counts

2026-05-10T17:27:11.818469Z

Any plugins in your project.clj? Has anything changed recently?

2026-05-10T17:34:32.909099Z

I upgraded some deps, but reverting to a previous working state has the same issues. https://github.com/meltzg/pigeon-scoops-backend/blob/main/project.clj my project.clj. This was definitely working the last time it deployed

2026-05-10T18:01:37.127359Z

I just noticed you're marked away. This project is deeply unimportant. I did not mean to interrupt your vacation

2026-05-10T18:05:02.286689Z

It's no problem at all! Using your project.clj, all deps resolve for me using lein deps on one try. Then, rm'ing ~/.m2/repository/, they don't. Then, they did on another try. So it feels like an intermittent issue with maven central.

2026-05-10T18:47:18.213259Z

🙃 thanks for validating I'm not crazy

carnundotcom 2026-05-10T19:09:34.554779Z

^Oh yay! Nor am I. 🙃

carnundotcom 2026-05-10T19:10:54.592369Z

Same (or eerily similar) issue, lein 2.10.0.

carnundotcom 2026-05-10T19:13:28.683439Z

Some checksum validation errors, some "Could not find artifact", some "Could not transfer artifact"... lots of noise.

carnundotcom 2026-05-10T19:15:05.957899Z

I'm afraid I cannot share my project.clj as private work repo, but just wanted to corroborate, at least.

carnundotcom 2026-05-10T19:22:39.132909Z

All good from a warm .m2, only seeing problems when the cache is cold.

2026-05-10T19:27:17.389659Z

yeah. I wasn't caching in CI, so it was always cold. My project is just a small pet project, so I switched to deps.edn

👍 1
rafd 2026-05-11T02:08:37.495749Z

Ty @carnunmp adding the mirror fixed things for me!

👌 1
technomancy 2026-05-12T15:43:52.511229Z

@tcrawley I can see about that, yeah. so the difference is in how it reacts to rate limiting?

2026-05-12T15:58:46.981439Z

I think so. I haven't looked at the resolver code, but lein from main seems to succeed eventually, where 2.12.0 fails to download all the dependencies when rate-limited.

technomancy 2026-05-12T16:08:15.163229Z

I might try to get https://codeberg.org/leiningen/leiningen/issues/109 included in the next release

👍 2
technomancy 2026-05-12T16:08:27.610889Z

it should be relatively quick, and nice to have

neumann 2026-05-16T05:15:37.607609Z

Maven Central is definitely rate limiting. They added info about it to their 429 page: https://central.sonatype.org/faq/429-error/

2026-05-10T03:39:31.377169Z

all the artifacts resolve and download fine if I use deps.edn