Changes to how Dependabot handles Maven versions

[jonjanego]

Hi Dependabot community. We wanted to let you know about some changes we are making to how we support Maven, and the impact that these changes could have on your projects.

Across Dependabot as a whole, we have been aiming to take a more consistent approach with how we determine precedence among versions. We have started by implementing a change in Dependabot common to follow semantic versioning for ecosystems that have no defined version standards, and are now moving toward implementing changes for specific ecosystems.

After undertaking an audit of the versioning behavior In Maven, we are making changes to Dependabot to follow the Maven version specification so that we determine precedence in a manner consistent with how Maven itself behaves when building a project. This will result in us no longer supporting the following version definitions for dependencies in Maven projects:

Dynamic versioning

We have previously allowed Dependabot to recognize dynamic versioning ranges in a Maven pom file, by supporting use of the + character. This is not an official part of the Maven specification and we will cease its support. The + character will be treated like a normal alphanumeric character, instead of a dynamic version range.

Prerelease qualifiers

We are no longer supporting dev, pre, and pr as prerelease qualifiers, which are not part of the official Maven specification. Maven instead recommends using: alpha, beta, milestone, rc, cr and snapshot.

If your Maven projects define versions using these patterns, you may begin encountering malformed version errors in your Dependabot jobs. To resolve these errors, please update your dependency definitions to follow the Maven version specification. Maven also includes a version testing tool you can use to evaluate your project’s behavior.

Please let us know in the discussion comments below if you have any questions!

[jamezp]

First of all, I'd just like to thank dependabot for making our lives easier in a lot of ways :)

We've notice a few weird issues with what I suspect is the version ordering. One example is wildfly/wildfly#18242 where it changed a SNAPSHOT down to a beta.

Another odd one is downgrading a dependency, see the first commit from dependabot in https://github.com/wildfly/wildfly/pull/18219/commits.

Lastly there appears to be a duplicate upgrade PR wildfly/wildfly#18244 and wildfly/wildfly#18238.

I've opted to post this here instead of creating an issue, but if an issue is preferred please let me know.

[jonjanego]

Hi @jamezp -- thanks for reaching out! If you can create an issue (or even better -- 3 separate, as they are 3 separate problems) - it'd help us triage and figure out what went wrong here. Thanks!

[jamezp]

Thank you for the quick response and done :)

• Maven downgrading a SNAPSHOT dependency from a *.Final-SNAPSHOT to a *.Beta1 #10668
• Maven downgrading a dependency in one POM which really is an upgrade in another POM #10669
• Maven dependabot opened two PR's for the same upgrade #10670

If any of these need more detail don't hesitate to ask.