search

ben-manes / gradle-versions-plugin

Gradle plugin to discover dependency updates
Apache License 2.0
3.86k stars 199 forks source link

Sonatype links are now broken because of search.maven.org #748

Closed marcosalis closed 1 year ago

marcosalis commented 1 year ago

First of all, thank you for this extremely useful plugin!

There is a slight issue with the reporting, as the Sonatype/Maven links to builds have changed.

Example of broken link in report: https://search.maven.org/artifact/androidx.activity/activity-ktx/1.6.1/bundle

I believe that now search.maven.org has fully migrated to central.sonatype.com, as the message at this link says.

ben-manes commented 1 year ago

What is the reporting issue? That domain is only referenced as a (possible) quick link in the html report. That android dependency is not on Maven Central and on Google's repository. That causes the link to fail as not found.

We don't know where the dependency was located by Gradle during resolution, it's just a best effort guess. The majority of the community uses Central, but some ecosystems decided to diverge. Many therefore use mvnrepository.com as a meta ui that indexes multiple repositories, but it is not official and displays ads which could erode trust.

marcosalis commented 1 year ago

Yes indeed, Google's Android dependencies are on their repository (here). I was about to suggest to use mvnrepository.com (the above dependency is present there), but you are right in that it's not official. It could be useful as a second link in the html report, but I understand if you prefer not adding it for the mentioned reasons.

I believe that now search.maven.org has fully migrated to central.sonatype.com, as the message at this link says.

This point is still relevant though, as at some point the central.sonatype.com might replace the currently used search.maven.org fully.

ben-manes commented 1 year ago

I'd be fine having the urls swapped and an additional links to other repositories. It used to include jcenter in the html report. Having a few likely ones, including mvnrepository, might be better. I am hesitant to make it the only link since it is unofficial, but multiple quick links seems okay. Of course if most people would be happier with mvnrepository then I'm not strongly opposed.

PRs are welcome, you can see relevant code if interested.