Maven version search should search all repositories, not stop after the first maven-metadata.xml
#9383
Labels
L: docker
Docker containers
L: git:submodules
Git submodules
L: go:modules
Golang modules
L: java:maven
Maven packages via Maven
T: bug 🐞
Something isn't working
Is there an existing issue for this?
Package ecosystem
Maven
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
Presumably since #5872, Dependabot incorrectly stops looking for repositories once a
maven-metadata.xml
is found.I asked @olamy (a Maven committer) about this, and his response in #5872 (comment) explains that the submitter of #5872 seems to have misunderstood the Maven documentation.
As a result, because the Jenkins project deployed a fork of Mina
sshd-core
to our own Maven repository a decade ago, and referencing that repository inpom.xml
, Dependabot is unable to find more recent releases in repo1 as described in jenkins-infra/helpdesk#3919 (comment).Native package manager behavior
Using the minimal example below:
Images of the diff or a link to the PR, issue, or logs
Using the minimal example below (at https://github.com/daniel-beck/dependabot-core-issue-9383):
Smallest manifest that reproduces the issue
The text was updated successfully, but these errors were encountered: