stackoom
  简体   繁体   中英

Dependabot not upgrading major versions of Maven SNAPSHOT dependencies

 原文  2022-07-14 10:16:44       maven/ github/ dependabot

Question

I've got dependabot setup, but even though a new minor version of a SNAPSHOT dependency is available, it's not being found.

Take the following pom.xml :

<project xmlns="http://maven.apache.org/POM/4.0.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.org</groupId>
<artifactId>project</artifactId>
<version>2.4-SNAPSHOT</version>
<dependencies>
    <dependency>
        <groupId>com.org</groupId>
        <artifactId>dependency</artifactId>
        <version>1.1-SNAPSHOT</version>
    </dependency>
</dependencies>

With the following dependabot.yml :

version: 2
registries:
  github-maven:
    type: maven-repository
    url: https://maven.pkg.github.com/my-org/*/
    username: admin
    password: rosebud
updates:
  - package-ecosystem: maven
    registries: "*"
    directory: /
    schedule:
      interval: daily

There's now a 1.2-SNAPSHOT available in my private repository - I can see it's been uploaded to https://maven.pkg.github.com/my-org/maven-repository/com/org/dependency/1.2-SNAPSHOT/dependency-1.2-20220714.094840-17.jar

Looking in the Dependabot logs, it's clear it's found all the versions of dependency from the maven-metadata.xml , but it's failed to actually get any of those versions.

updater | INFO <job_418367509> Checking if com.org:dependency 1.1-SNAPSHOT needs updating
  proxy | 2022/07/14 09:41:03 [176] GET https://repo.maven.apache.org:443/maven2/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [176] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [178] GET https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [178] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:03 [178] 200 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [180] HEAD https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [180] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [182] HEAD https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [182] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:04 [182] 404 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [188] HEAD https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [188] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [190] HEAD https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [190] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:04 [190] 404 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
updater | INFO <job_418367509> Latest version is 
updater | INFO <job_418367509> Requirements to unlock update_not_possible
updater | INFO <job_418367509> Requirements update strategy 
updater | INFO <job_418367509> No update possible for com.org:dependency 1.1-SNAPSHOT

I think the problem is that the SNAPSHOT versions all have the date in the filename, and although this is listed in the maven-metadata.xml , Dependabot doesn't support that. I'm not able to verify this as this is no longer a Maven behaviour you can change .

Non- SNAPSHOT dependencies in my private repository work fine with Dependabot, and my dependencies are resolved without issue in Maven for builds etc.

1 answers

solution1
 0  2022-08-03 13:57:41

This is a bug in Dependabot.

From GitHub support:

Our engineers found an issue with our support for SNAPSHOT packages in general. They have opened an issue for it, but there is not estimate for when a fix will be released.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Maven - Ranges in Snapshot Dependencies Maven - release snapshot dependencies Maven deploy and versions of dependencies Testing versions of dependencies in maven Maven resolving versions of dependencies Rules for SNAPSHOT versions in Maven repository maven versions release candidates and snapshot two versions of dependencies in maven Maven: Mission versions in dependencies How do I automate the update of SNAPSHOT dependencies to the latest released versions when using maven
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM