dependabot-core
dependabot-core copied to clipboard
Dependabot does not detect version update on maven-site-plugin from 3.12.0 to 4.0.0-M2
Package ecosystem maven Package manager version n/a Language version n/a Manifest location and content before the Dependabot update /pom.xml
dependabot.yml content
version: 2
updates:
- directory: "/" # Location of package manifests
package-ecosystem: "maven" # See documentation for possible values
rebase-strategy: "auto"
schedule:
interval: "daily"
Updated dependency
<build>
<pluginManagement>
<plugins>
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.12.0</version>
</plugin>
What you expected to see, versus what you actually saw
a PR should have been created by dependabot for the update to 4.0.0-M2
Instead
- Dependabot did not run (there were 0 PRs, and the insights page said Dependabot last ran 3 days ago). I had to trigger it manually.
- Dependabot logging clearly shows it did not detect the update
Dependabot logs:
updater | INFO <job_419448378> Checking if org.apache.maven.plugins:maven-site-plugin 3.12.0 needs updating
proxy | 2022/07/15 21:51:46 [136] GET https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml
proxy | 2022/07/15 21:51:46 [136] 200 https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml
proxy | 2022/07/15 21:51:46 [138] HEAD https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/3.12.0/maven-site-plugin-3.12.0.jar
proxy | 2022/07/15 21:51:46 [138] 200 https://repo.maven.apache.org:443/maven2/org/apache/maven/plugins/maven-site-plugin/3.12.0/maven-site-plugin-3.12.0.jar
updater | INFO <job_419448378> Latest version is 3.12.0
updater | INFO <job_419448378> No update needed for org.apache.maven.plugins:maven-site-plugin 3.12.0
Actual content of the metadata file:
$ wget --server-response -qO- https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-site-plugin/maven-metadata.xml | head
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 1441
ETag: "8ac057d75f6e5183732a3acfd1c59e21"
Content-Type: text/xml
Last-Modified: Sun, 26 Jun 2022 12:26:37 GMT
X-Checksum-MD5: 8ac057d75f6e5183732a3acfd1c59e21
X-Checksum-SHA1: 8287b265568a47719b5d0048362e20b4b1ab1c34
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Tue, 19 Jul 2022 07:49:32 GMT
Age: 662692
X-Served-By: cache-iad-kjyo7100059-IAD, cache-dal21251-DAL
X-Cache: HIT, HIT
X-Cache-Hits: 2, 1
X-Timer: S1658216973.649554,VS0,VE1
<?xml version="1.0" encoding="UTF-8"?>
<metadata>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<versioning>
<latest>4.0.0-M2</latest>
<release>4.0.0-M2</release>
<versions>
<version>2.0-beta-1</version>
<version>2.0-beta-2</version>
Native package manager behavior n/a
Images of the diff or a link to the PR, issue, or logs n/a (private repo)
🕹 Bonus points: Smallest manifest that reproduces the issue
Another plugin update is found by versions:display-plugin-updates
but not dependabot
maven-surefire-plugin .......................... 2.22.2 -> 3.0.0-M7
Could this have to do with the -M\d
in the release number? Is dependabot ignoring those by any chance, thinking these aren't real releases? And if so, is there any way to get dependabot to consider -M\d
versions as well? These are fairly typical for plugins in the maven ecosystem.
We use M
for milestone releases which means that it is work it progress and might break your stuff. This only happen in major releases. Therefore we do not recommend to blindly update such things and expect everything to work. Especially like Maven Site Plugin. See also: https://github.com/dependabot/dependabot-core/issues/5419 and https://issues.apache.org/jira/browse/MSITE-907
@michael-o Thanks for heads up, so basically:
- YES, -M\d versions are ignored.
- NO, this cannot be changed
Correct?
@lestephane I am not affiliated with dependabot at all, infact I consider it as pure noise and it is on my spam list, but my statement holds true. Major version updates must be done manually, not by some bots. See here for an ugly update fallout: https://github.com/apache/maven-doxia/pull/109
Dependabot will generally attempt to keep you on the same stability level or better. For example, if your manifest specifies a beta version, it will attempt to upgrade you to later beta versions or to later full release versions but we would not create a PR for an alpha version.
This logic also applies with Milestone or Snapshot releases in Maven. At this time there is not a configuration option to alter this behavior.