Changes to how Dependabot handles Maven versions #10626
jonjanego
announced in
Announcements
Replies: 1 comment 2 replies
-
First of all, I'd just like to thank dependabot for making our lives easier in a lot of ways :) We've notice a few weird issues with what I suspect is the version ordering. One example is wildfly/wildfly#18242 where it changed a SNAPSHOT down to a beta. Another odd one is downgrading a dependency, see the first commit from dependabot in https://github.com/wildfly/wildfly/pull/18219/commits. Lastly there appears to be a duplicate upgrade PR wildfly/wildfly#18244 and wildfly/wildfly#18238. I've opted to post this here instead of creating an issue, but if an issue is preferred please let me know. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi Dependabot community. We wanted to let you know about some changes we are making to how we support Maven, and the impact that these changes could have on your projects.
Across Dependabot as a whole, we have been aiming to take a more consistent approach with how we determine precedence among versions. We have started by implementing a change in Dependabot common to follow semantic versioning for ecosystems that have no defined version standards, and are now moving toward implementing changes for specific ecosystems.
After undertaking an audit of the versioning behavior In Maven, we are making changes to Dependabot to follow the Maven version specification so that we determine precedence in a manner consistent with how Maven itself behaves when building a project. This will result in us no longer supporting the following version definitions for dependencies in Maven projects:
Dynamic versioning
We have previously allowed Dependabot to recognize dynamic versioning ranges in a Maven pom file, by supporting use of the
+
character. This is not an official part of the Maven specification and we will cease its support. The+
character will be treated like a normal alphanumeric character, instead of a dynamic version range.Prerelease qualifiers
We are no longer supporting
dev
,pre
, andpr
as prerelease qualifiers, which are not part of the official Maven specification. Maven instead recommends using:alpha
,beta
,milestone
,rc
,cr
andsnapshot
.If your Maven projects define versions using these patterns, you may begin encountering malformed version errors in your Dependabot jobs. To resolve these errors, please update your dependency definitions to follow the Maven version specification. Maven also includes a version testing tool you can use to evaluate your project’s behavior.
Please let us know in the discussion comments below if you have any questions!
Beta Was this translation helpful? Give feedback.
All reactions