versions
versions copied to clipboard
mojohaus
`use-latest-releases` checks transitive dependencies instead of direct dependencies
Given the following pom.xml file :
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.4</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>demo</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
I expected the command :
mvn org.codehaus.mojo:versions-maven-plugin:2.12.0:use-latest-releases -DallowMajorUpdates=false -DgenerateBackupPoms=false
to give the following input :
[INFO] --- versions-maven-plugin:2.12.0:use-latest-releases (default-cli) @ demo ---
[INFO] Minor version changes allowed
[INFO] artifact org.springframework.boot:spring-boot-starter-parent: checking for updates from central
But instead it checks all the following dependencies :
[INFO] --- versions-maven-plugin:2.12.0:use-latest-releases (default-cli) @ demo ---
[INFO] Minor version changes allowed
[INFO] artifact io.netty:netty-transport-sctp: checking for updates from central
[INFO] artifact io.netty:netty-transport-udt: checking for updates from central
[INFO] artifact io.netty:netty-example: checking for updates from central
[INFO] artifact io.netty:netty-all: checking for updates from central
[INFO] artifact io.netty:netty-resolver-dns-classes-macos: checking for updates from central
[INFO] artifact io.netty:netty-resolver-dns-native-macos: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-unix-common: checking for updates from central
[INFO] artifact io.netty:netty-transport-classes-epoll: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-epoll: checking for updates from central
[INFO] artifact io.netty:netty-transport-classes-kqueue: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-kqueue: checking for updates from central
[INFO] artifact io.netty:netty-tcnative-classes: checking for updates from central
[INFO] artifact io.netty:netty-tcnative: checking for updates from central
[INFO] artifact io.netty:netty-tcnative-boringssl-static: checking for updates from central
OUPUT SKIPPED
I believe it's because it checks all the transitive dependencies rather than only the direct dependencies. It's troublesome because on big projects, it's very long. I tried running it the other day, and I gave up after 9 hours of runtime. The next day, I made it run from a server which has a very high bandwidth to our Nexus, and it took 7h30.
I checked the code of UseLatestReleaseMojo.java, and I saw it's calling the method getDependencies. This method returns transitive dependencies. And I don't see any filtering before the call to getNewerVersions, which I guess is doing the slow HTTP queries. I think the code should only fetch the direct dependencies. I can write the PR if I get any feedback.
