dependabot-core Dependabot does not recognize SemVer v2 versions with build metadata

Dependabot does not recognize SemVer v2 versions with build metadata

Open LukasPrediger opened this issue 1 year ago • 0 comments

Is there an existing issue for this?

[X] I have searched the existing issues

Package ecosystem

Gradle

Package manager version

7.5.1

Language version

Manifest location and content before the Dependabot update

/build.gradle.kts

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    schedule:
      interval: "daily"
    commit-message:
      prefix: "DEPBOT-GRADLE"
      include: "scope"
    reviewers:
      - "github-team"
    registries: "*"
    ignore:
      - dependency-name: "org.jetbrains.kotlin.jvm"
        update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
registries:
  internal-registry:
    [...]

Updated dependency

No response

What you expected to see, versus what you actually saw

We deployed a test dependency in order to verify a new version schema based on SemVer Version 2

The dependency i used in version 0.0.4. A new update is deployed 0.0.6+3.2.1

Contents of the pulled maven-metadata.xml

<?xml version="1.0" encoding="UTF-8"?>
<metadata modelVersion="1.1.0">
  <groupId>group</groupId>
  <artifactId>dependency</artifactId>
  <version>0.0.6+3.2.1</version>
  <versioning>
    <latest>0.0.6+3.2.1</latest>
    <release>0.0.6+3.2.1</release>
    <versions>
      <version>0.0.1</version>
      <version>0.0.2</version>
      <version>0.0.3</version>
      <version>0.0.4</version>
      <version>0.0.6+3.2.1</version>
    </versions>
    <lastUpdated>20240221103735</lastUpdated>
  </versioning>
</metadata>

Log output

  proxy | 2024/02/21 14:01:04 [028] GET https://internal-repository.com/path/to/dependency/maven-metadata.xml
  proxy | 2024/02/21 14:01:04 [028] * authenticating maven repository request (host: -)
  proxy | 2024/02/21 14:01:05 [028] 200 https://internal-repository.com/path/to/dependency/maven-metadata.xml
updater | 2024/02/21 14:01:05 INFO <job_790144545> Latest version is 0.0.4
updater | 2024/02/21 14:01:05 INFO <job_790144545> No update needed for group:dependency 0.0.4

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

Feb 21 '24 14:02 LukasPrediger

dependabot-core dependabot-core copied to clipboard

Dependabot does not recognize SemVer v2 versions with build metadata

Is there an existing issue for this?

Package ecosystem

Package manager version

Language version

Manifest location and content before the Dependabot update

dependabot.yml content

Updated dependency

What you expected to see, versus what you actually saw

Native package manager behavior

Images of the diff or a link to the PR, issue, or logs

Smallest manifest that reproduces the issue

dependabot-core
dependabot-core copied to clipboard