dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago verified publisher icon dependabot

Dependabot does not detect version update on maven-site-plugin from 3.12.0 to 4.0.0-M2

Open lestephane opened this issue 1 year ago • 4 comments

Package ecosystem maven Package manager version n/a Language version n/a Manifest location and content before the Dependabot update /pom.xml

dependabot.yml content

version: 2
updates:
  - directory: "/" # Location of package manifests
    package-ecosystem: "maven" # See documentation for possible values
    rebase-strategy: "auto"
    schedule:
      interval: "daily"

Updated dependency

    <build>
        <pluginManagement>
            <plugins>
                ...
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-site-plugin</artifactId>
                    <version>3.12.0</version>
                </plugin>

What you expected to see, versus what you actually saw

a PR should have been created by dependabot for the update to 4.0.0-M2

Instead

  • Dependabot did not run (there were 0 PRs, and the insights page said Dependabot last ran 3 days ago). I had to trigger it manually.
  • Dependabot logging clearly shows it did not detect the update

Dependabot logs:

updater | INFO <job_419448378> Checking if org.apache.maven.plugins:maven-site-plugin 3.12.0 needs updating
  proxy | 2022/07/15 21:51:46 [136] GET https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml
  proxy | 2022/07/15 21:51:46 [136] 200 https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml
  proxy | 2022/07/15 21:51:46 [138] HEAD https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/3.12.0/maven-site-plugin-3.12.0.jar
  proxy | 2022/07/15 21:51:46 [138] 200 https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/3.12.0/maven-site-plugin-3.12.0.jar
updater | INFO <job_419448378> Latest version is 3.12.0
updater | INFO <job_419448378> No update needed for org.apache.maven.plugins:maven-site-plugin 3.12.0

Actual content of the metadata file:

$ wget --server-response -qO- https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml | head
  HTTP/1.1 200 OK
  Connection: keep-alive
  Content-Length: 1441
  ETag: "8ac057d75f6e5183732a3acfd1c59e21"
  Content-Type: text/xml
  Last-Modified: Sun, 26 Jun 2022 12:26:37 GMT
  X-Checksum-MD5: 8ac057d75f6e5183732a3acfd1c59e21
  X-Checksum-SHA1: 8287b265568a47719b5d0048362e20b4b1ab1c34
  Via: 1.1 varnish, 1.1 varnish
  Accept-Ranges: bytes
  Date: Tue, 19 Jul 2022 07:49:32 GMT
  Age: 662692
  X-Served-By: cache-iad-kjyo7100059-IAD, cache-dal21251-DAL
  X-Cache: HIT, HIT
  X-Cache-Hits: 2, 1
  X-Timer: S1658216973.649554,VS0,VE1
<?xml version="1.0" encoding="UTF-8"?>
<metadata>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-site-plugin</artifactId>
  <versioning>
    <latest>4.0.0-M2</latest>
    <release>4.0.0-M2</release>
    <versions>
      <version>2.0-beta-1</version>
      <version>2.0-beta-2</version>

Native package manager behavior n/a

Images of the diff or a link to the PR, issue, or logs n/a (private repo)

🕹 Bonus points: Smallest manifest that reproduces the issue

lestephane avatar Jul 19 '22 07:07 lestephane

Another plugin update is found by versions:display-plugin-updates but not dependabot

maven-surefire-plugin .......................... 2.22.2 -> 3.0.0-M7

Could this have to do with the -M\d in the release number? Is dependabot ignoring those by any chance, thinking these aren't real releases? And if so, is there any way to get dependabot to consider -M\d versions as well? These are fairly typical for plugins in the maven ecosystem.

lestephane avatar Jul 22 '22 16:07 lestephane

We use M for milestone releases which means that it is work it progress and might break your stuff. This only happen in major releases. Therefore we do not recommend to blindly update such things and expect everything to work. Especially like Maven Site Plugin. See also: https://github.com/dependabot/dependabot-core/issues/5419 and https://issues.apache.org/jira/browse/MSITE-907

michael-o avatar Jul 25 '22 20:07 michael-o

@michael-o Thanks for heads up, so basically:

  • YES, -M\d versions are ignored.
  • NO, this cannot be changed

Correct?

lestephane avatar Aug 05 '22 14:08 lestephane

@lestephane I am not affiliated with dependabot at all, infact I consider it as pure noise and it is on my spam list, but my statement holds true. Major version updates must be done manually, not by some bots. See here for an ugly update fallout: https://github.com/apache/maven-doxia/pull/109

michael-o avatar Aug 05 '22 15:08 michael-o

Dependabot will generally attempt to keep you on the same stability level or better. For example, if your manifest specifies a beta version, it will attempt to upgrade you to later beta versions or to later full release versions but we would not create a PR for an alpha version.

This logic also applies with Milestone or Snapshot releases in Maven. At this time there is not a configuration option to alter this behavior.

pavera avatar Aug 17 '22 17:08 pavera