search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.64k stars 994 forks source link

Feature: Update Maven Archetypes #2144

Open dmitry-timofeev opened 5 years ago

dmitry-timofeev commented 5 years ago

Hi, thanks for the awesome bot!

It would be great if dependabot was able to update pom.xml in Maven archetypes. A Maven archetype works as a template for new projects (e.g., a Spring Boot web application) and contains a template pom.xml, which usually declares some dependencies. As this pom.xml is a template for new projects, it is not a part of a multi-module build definition. Currently dependabot ignores such files, and they must be manually updated.

Workarounds

Properties substitution

  1. Make the archetype resource POMs a filtered resource.
  2. Define the properties in the archetype POM (e.g., <afp.junit.version>${junit.version.that.dependabot.already.updates}</afp.junit.version>).
    ⚠️ These must reference the properties that dependabot does already update.
  3. Reference the properties in the resource POM (e.g. <junit.version>${afp.junit.version}</junit.version> in the resource POM will become <junit.version>5.6.0</junit.version>)
  4. ⚠️ Escape the other properties in the resource POM, so that they are not expanded.

See https://github.com/exonum/exonum-java-binding/pull/1449 for an example patch.

Specifying archetype resource POM in Dependabot config

As shared by @jglick below, it is possible to specify the directories containing the archetype resource POMs as usual POMs.

See an example config.

See also

jglick commented 5 years ago

I suppose https://github.com/dependabot/dependabot-core/tree/master/maven/lib/dependabot would need to be patched as follows: when recursively traversing pom.xml files by <module>, if there is one which has <packaging>maven-archetype</packaging>, then also look for src/main/resources/archetype-resources/pom.xml and recursively traverse that as well.

greysteil commented 5 years ago

Thanks for the additional info @jglick! The code that will need changing is here. I'd happily accept a (well-tested) PR that addressed this. Am a little swamped to take it myself, though.

jglick commented 5 years ago

Ack. Too low priority for me at the moment to spend time on.

dmitry-timofeev commented 4 years ago

Added a workaround enabling automatic updates of the versions in the archetype resource POMs to the issue description.

jglick commented 4 years ago

Thanks for the tip @dmitry-timofeev! I have been using another workaround of just requesting manually that Dependabot examine archetype-resources subdirectories, though it suffers from the disadvantage that in cases where a given dependency is used in multiple archetypes, Dependabot will file separate PRs for each.

dmitry-timofeev commented 4 years ago

Thanks for sharing @jglick ! I also added to the description, as your approach is easier to implement.