{"id":13622712,"url":"https://github.com/reactor/reactor","last_synced_at":"2026-03-10T14:08:35.192Z","repository":{"id":8182923,"uuid":"9609018","full_name":"reactor/reactor","owner":"reactor","description":"Reactor Bill Of Materials (tracking reactor-core, reactor-netty and more)","archived":false,"fork":false,"pushed_at":"2026-02-10T10:55:06.000Z","size":24083,"stargazers_count":3686,"open_issues_count":9,"forks_count":490,"subscribers_count":244,"default_branch":"main","last_synced_at":"2026-02-10T15:59:04.999Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://projectreactor.io","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reactor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-04-22T21:10:05.000Z","updated_at":"2026-02-10T10:55:09.000Z","dependencies_parsed_at":"2024-01-09T11:38:27.570Z","dependency_job_id":"8cd735b2-ab78-4ed4-b74a-c082f5528594","html_url":"https://github.com/reactor/reactor","commit_stats":{"total_commits":618,"total_committers":27,"mean_commits":22.88888888888889,"dds":0.7443365695792881,"last_synced_commit":"7fb6fc260c0ac84c947c4c62cbd5acb0e8bf75c2"},"previous_names":[],"tags_count":260,"template":false,"template_full_name":null,"purl":"pkg:github/reactor/reactor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reactor%2Freactor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reactor%2Freactor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reactor%2Freactor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reactor%2Freactor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reactor","download_url":"https://codeload.github.com/reactor/reactor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reactor%2Freactor/sbom","scorecard":{"id":655486,"data":{"date":"2025-08-11","repo":{"name":"github.com/reactor/reactor","commit":"bda91b587d02ddded0fe370d5bd3dc89b47d4ef5"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.8,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: gradle/wrapper/gradle-wrapper.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:37","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:36","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:139","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:155","Info: found token with 'none' permissions: .github/workflows/codeql-analysis.yml:1","Info: found token with 'none' permissions: .github/workflows/publish.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/reactor/reactor/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/reactor/reactor/codeql-analysis.yml/main?enable=pin","Info:  11 out of  13 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/reactor/.github/SECURITY.md:1","Info: Found linked content: github.com/reactor/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/reactor/.github/SECURITY.md:1","Info: Found text in security policy: github.com/reactor/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:37"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (1) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-21T14:32:44.648Z","repository_id":8182923,"created_at":"2025-08-21T14:32:44.648Z","updated_at":"2025-08-21T14:32:44.648Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30336124,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T12:41:07.687Z","status":"ssl_error","status_checked_at":"2026-03-10T12:41:06.728Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:01:23.211Z","updated_at":"2026-03-10T14:08:35.184Z","avatar_url":"https://github.com/reactor.png","language":null,"readme":"# Reactor Project\n\n[![Join the chat at https://gitter.im/reactor/reactor](\thttps://img.shields.io/gitter/room/reactor/reactor.svg)](https://gitter.im/reactor/reactor?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\n [![Download](https://img.shields.io/maven-central/v/io.projectreactor/reactor-bom.svg) ](https://img.shields.io/maven-central/v/io.projectreactor/reactor-bom.svg)\n\nProject Reactor is organized into multiple projects:\n - [`reactor-core`](https://github.com/reactor/reactor-core/)\n - [`reactor-netty`](https://github.com/reactor/reactor-netty/)\n - addons like [`reactor-extra`](https://github.com/reactor/reactor-addons/) or [`reactor-pool`](https://github.com/reactor/reactor-pool/)\n\nA set of compatible versions for all these projects is curated under a BOM (\"Bill of Materials\") hosted under this very repository.\n\n## Using the BOM with Maven\nIn Maven, you need to import the bom first:\n\n```xml\n\u003cdependencyManagement\u003e\n    \u003cdependencies\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eio.projectreactor\u003c/groupId\u003e\n            \u003cartifactId\u003ereactor-bom\u003c/artifactId\u003e\n            \u003cversion\u003e2025.0.4\u003c/version\u003e\n            \u003ctype\u003epom\u003c/type\u003e\n            \u003cscope\u003eimport\u003c/scope\u003e\n        \u003c/dependency\u003e\n    \u003c/dependencies\u003e\n\u003c/dependencyManagement\u003e\n```\nNotice we use the `\u003cdependencyManagement\u003e` section and the `import` scope.\n\nNext, add your dependencies to the relevant reactor projects as usual, except without a `\u003cversion\u003e`:\n\n```xml\n\u003cdependencies\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eio.projectreactor\u003c/groupId\u003e\n        \u003cartifactId\u003ereactor-core\u003c/artifactId\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eio.projectreactor\u003c/groupId\u003e\n        \u003cartifactId\u003ereactor-test\u003c/artifactId\u003e\n        \u003cscope\u003etest\u003c/scope\u003e\n    \u003c/dependency\u003e\n\u003c/dependencies\u003e\n```\n\n## Using the BOM with Gradle\n### Gradle 5.0+\nUse the `platform` keyword to import the Maven BOM within the `dependencies` block, then add dependencies to\nyour project without a version number.\n\n```groovy\ndependencies {\n     // import BOM\n     implementation platform('io.projectreactor:reactor-bom:2025.0.4')\n\n     // add dependencies without a version number\n     implementation 'io.projectreactor:reactor-core'\n}\n```\n\n### Gradle 4.x and earlier\nGradle versions prior to 5.0 have no core support for Maven BOMs, but you can use Spring's [`gradle-dependency-management` plugin](https://github.com/spring-gradle-plugins/dependency-management-plugin).\n\nFirst, apply the plugin from Gradle Plugin Portal (check and change the version if a new one has been released):\n\n```groovy\nplugins {\n    id \"io.spring.dependency-management\" version \"1.0.11.RELEASE\"\n}\n```\nThen use it to import the BOM:\n\n```groovy\ndependencyManagement {\n     imports {\n          mavenBom \"io.projectreactor:reactor-bom:2025.0.4\"\n     }\n}\n```\n\nThen add a dependency to your project without a version number:\n\n```groovy\ndependencies {\n     compile 'io.projectreactor:reactor-core'\n}\n```\n\n\n## BOM Versioning Scheme\nThe BOM can be imported in Maven, which will provide a set of default artifact versions to use whenever the corresponding dependency is added to a pom without an explicitly provided version.\n\nAs the different artifacts versions are not necessarily aligned, the BOM represents a release train with an heterogeneous range of versions that are curated to work together.\nThe artifact version follows the `YYYY.MINOR.MICRO-QUALIFIER` scheme since Europium, where:\n\n * `YYYY` is the year of the first GA release in a given release cycle (like 3.4.0 for 3.4.x)\n * `.MINOR` is a 0-based number incrementing with each new release cycle\n ** in the case of the BOM it allows discerning between release cycles in case two get first released the same year\n * `.PATCH` is a 0-based number incrementing with each service release\n * `-QUALIFIER` is a textual qualifier, which is omitted in the case of GA releases (see below)\n \nOn top of the artifact version, each release train has an associated codename, a chemical name from the [Periodic Table of Elements](https://en.wikipedia.org/wiki/List_of_chemical_elements) in growing alphabetical order, for reference in discussions.\n\nSo far, the release trains code names are:\n - `Aluminium` for the `3.0.x` generation of Reactor-Core ([:bulb:](# 'aluminium is shiny, as is this brand new release'))\n - `Bismuth` for the `3.1.x` generation ([:bulb:](# 'intricate crystaline structure, a bit like this release'))\n - `Californium` for the `3.2.x` generation ([:bulb:](# 'made in California, can be used to help start up nuclear reactors... shoutout to our own @smaldini moving there'))\n - `Dysprosium` for the `3.3.x` generation ([:bulb:](# 'means hard to get and is used in nuclear reactors'))\n - `Europium` (`2020.0`) for the `3.4.x` generation ([:bulb:](# 'a large part of the team is now based in Europe'))\n\nNOTE: Up until Dysprosium, the BOM was versioned using a release train scheme with a codename followed by a qualifier, and the qualifiers were slightly different.\nFor example: Aluminium-RELEASE (first GA release, would now be something like YYYY.0.0), Bismuth-M1, Californium-SR1 (service release\nwould now be something like YYYY.0.1), Dysprosium-RC1, Dysprosium-BUILD-SNAPSHOT (after each patch, we'd go back to the same snapshot version. would now be something\nlike YYYY.0.X-SNAPSHOT so we get 1 snapshot per PATCH).\n \n\n# Contributing, Community / Support\n\n[![license](https://img.shields.io/github/license/reactor/.github.svg?label=Reactor%20is)](https://github.com/reactor/.github/blob/main/LICENSE)\n\nAs hinted above, this repository is for hosting the BOM and for transverse issues only. Most of the time, if you're looking to open an issue or a PR, it should be done in a more specific repository corresponding to one of the actual artifacts.\n\nAll projects follow the same detailed contributing guidelines which you can find [here](https://github.com/reactor/.github/blob/main/CONTRIBUTING.md).\n\nThis document also give some ways you can get answers to your [questions](https://github.com/reactor/.github/blob/main/CONTRIBUTING.md#question-do-you-have-a-question).\n\n### Documentation\n\n* [Guides](https://projectreactor.io/docs)\n* [Reactive Streams](https://www.reactive-streams.org/)\n\n# Detail of Projects\n## Reactor Core\n[![Reactor Core](https://img.shields.io/badge/github-reactor/reactor--core-green.svg)](https://github.com/reactor/reactor-core)\n\nReactive foundations for apps and frameworks and reactive extensions inspired API with [Mono](https://projectreactor.io/docs/core/release/api/reactor/core/publisher/Mono.html) (1 element) and [Flux](https://projectreactor.io/docs/core/release/api/reactor/core/publisher/Flux.html) (n elements) types\n\n - API documentation: [/docs/core/release/api](https://projectreactor.io/docs/core/release/api)\n\n## Reactor Netty\n[![Reactor Netty](https://img.shields.io/badge/github-reactor/reactor--netty-green.svg)](https://github.com/reactor/reactor-netty)\n\nTCP and HTTP client and server.\n\n - API documentation: [/docs/netty/release/api](https://projectreactor.io/docs/netty/release/api)\n\n## Reactor Addons\n[![Reactor Addons](https://img.shields.io/badge/github-reactor/reactor--addons-green.svg)](https://github.com/reactor/reactor-addons)\n\nExtra projects adding features to reactor:\n\n  - **`reactor-adapter`**: adapt to/from various libraries, mainly RxJava 2.\n    - API documentation: [/docs/adapter/release/api](https://projectreactor.io/docs/adapter/release/api)\n  - **`reactor-extra`**: Retry utils, Math utils, ...\n    - API documentation: [/docs/extra/release/api](https://projectreactor.io/docs/extra/release/api)\n\n### Snapshot Artifacts\n\nWhile Stable Releases are synchronized with Maven Central, fresh snapshot and milestone artifacts are provided in the _repo.spring.io_ repositories.\n\nTo add this repo to your Maven build, add it to the `\u003crepositories\u003e` section like the following:\n\n```xml\n\u003crepositories\u003e\n\t\u003crepository\u003e\n\t    \u003cid\u003espring-snapshot\u003c/id\u003e\n\t    \u003cname\u003eSpring Snapshot Repository\u003c/name\u003e\n\t    \u003curl\u003ehttps://repo.spring.io/snapshot\u003c/url\u003e\n\t    \u003csnapshots\u003e\n\t        \u003cenabled\u003etrue\u003c/enabled\u003e\n\t    \u003c/snapshots\u003e\n\t\u003c/repository\u003e\n\u003c/repositories\u003e\n```\n\nTo add it to your Gradle build, use the `repositories` configuration like this:\n```groovy\nrepositories {\n\tmaven { url 'https://repo.spring.io/libs-snapshot' }\n\tmavenCentral()\n}\n```\n\nYou should then be able to import a `-SNAPSHOT` version of the BOM, like `2020.0.{NUMBER}-SNAPSHOT` for the `snapshot` of the `{NUMBER}th service release` of `2020.0` (Europium).\n\n_Sponsored by [VMware](https://tanzu.vmware.com)_\n","funding_links":[],"categories":["Others","Projects"],"sub_categories":["Reactive libraries"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freactor%2Freactor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freactor%2Freactor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freactor%2Freactor/lists"}