I need to use artifacts from a third-party repo in my project.
Therefore, I add the following to my POM:

<repositories>
    <repository>
        <id>bunch-of-cowboys</id>
        <name></name>
        <url>https://maven.bunch-of-cowboys.com</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>

The problem I have is that I do not particularly trust this company that much. When I add the above, Maven will search bunch-of-cowboys before it searches central. This is by design. Effectively this company can now totally override anything in Maven Central .. and I probably wouldn’t even find out if they did.

For me, this is a massive security risk. The other problem is that it prolongs builds. It might even prolong it significantly if that third-party Maven server is slow to respond.

I do understand that I can “fix” the problem by explicitly declaring Maven Central in my POM, for example:

<repositories>
    <!-- first, Maven Central -->
    <repository>
        <id>central</id>
        <name>Central Repository</name>
        <url>https://repo.maven.apache.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>

    <!-- then, Bunch of Cowboys -->
    <repository>
        <id>bunch-of-cowboys</id>
        <name></name>
        <url>https://maven.bunch-of-cowboys.com</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>

It is not feasible to remember to do this in every project. It is also not feasible to educate all developers in my company to always remember to do this.

Therefore: How do people cope with this risk? Is there a global switch in Maven which says to always prioritize central ? Frankly, I don’t understand why the repository defined in the Maven Super POM (aka the central) do not take priority over any other defined repos.

Ref: Maven official documentation on repo lookup order