-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java Maven Artifact Migration #2205
Comments
This would be awesome! |
Agreed - need to look into how spotbugs does that! |
Spotbugs and others can figure this out using the <distributionManagement>
<relocation>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<message>https://issues.sonatype.org/browse/MVNCENTRAL-244</message>
</relocation>
</distributionManagement> See Maven documentation for more details. I started to dig a little into this but soon realized this might be bigger than expected. Not only would we need to fetch the latest dependency metadata (which isn't too bad but it does break a lot of the tests), the bigger issue I see is in actually rewriting the dependency coordinates. The maven UpdateChecker mostly deals with versions whereas we'd need to rewrite group_id and artifact_id of the maven dependency as well. This already challenges a lot of assumptions in the current version_finder (see bmuskalla/dependabot-core@7553704 for a rough approach; actually a lot of the existing code would better be refactored as it currently assumes the maven coordinates are stable). @greysteil and @hmarr, any thoughts on whether this is worth the effort before I spent any more time on this? Or is there maybe a better way to introduce such a dependency rewrite? |
@feelepxyz Thoughts on @bmuskalla's comment? |
@rebelagentm @bmuskalla thanks for starting a fix for this! 🙇I think you're right, sounds like this will be a non-trivial change given our current architecture. Also haven't looked into how our maven setup works in detail but wondering if we could set the new group id and artifact id in requirement metadata for the updated dependencies and then read these out when updating, we already do something like this here:
|
Duplicate of: |
When running my build, spotbugs appears to have suggested:
I'm not sure internally how spotbugs knows this, but I think it'd be awesome if dependabot were able to handle this type of PR. We were using:
and now we can use instead
The text was updated successfully, but these errors were encountered: