-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maven: stop querying repositories once one returns a result #5872
Conversation
a73d862
to
2907e5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huge improvement!
its(:count) { is_expected.to eq(87) } | ||
its(:count) { is_expected.to eq(17) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! One question is whether the repos are currently in the right order where the first to return is the one we want?
@mctofu It seems to be, but I noticed the specs are using |
Co-authored-by: Landon Grindheim <landon.grindheim@gmail.com>
I'll just state here that the rules from the docs linked above are:
1 and 3 don't apply because Dependabot doesn't support settings.xml, and runs in a clean environment. Rule 2 is captured pretty succinctly in this recursive section of code. I've updated the tests and they look correct. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
Dependabot will stop looking for maven dependencies once it finds a repository that returns any number of results, even if none of those results match the requested version. This removes the ossrh repository because it brings in snapshot repositories that prevent dependabot from falling back to the central repository. See: dependabot/dependabot-core#5872
Dependabot will stop looking for maven dependencies once it finds a repository that returns any number of results, even if none of those results match the requested version. This removes the ossrh repository because it brings in snapshot repositories that prevent dependabot from falling back to the central repository. See: dependabot/dependabot-core#5872
Dependabot will stop looking for maven dependencies once it finds a repository that returns any number of results, even if none of those results match the requested version. This removes the ossrh repository because it brings in snapshot repositories that prevent dependabot from falling back to the central repository. See: dependabot/dependabot-core#5872
Hi, You are right regarding
But this applies when Maven is querying artifact |
Per the Maven docs:
(emphasis mine)
So when Dependabot checks for updated versions, if it finds some it should stop querying. If the user has outdated dependencies in a registry that may be on purpose, and we should honor those versions presented and not try to find more.
I found "that augment the central repo" a good test of this as it failed once I made this change, so I fixed it and didn't feel the need to write another test.