Open dmitry-timofeev opened 5 years ago
I suppose https://github.com/dependabot/dependabot-core/tree/master/maven/lib/dependabot would need to be patched as follows: when recursively traversing pom.xml
files by <module>
, if there is one which has <packaging>maven-archetype</packaging>
, then also look for src/main/resources/archetype-resources/pom.xml
and recursively traverse that as well.
Thanks for the additional info @jglick! The code that will need changing is here. I'd happily accept a (well-tested) PR that addressed this. Am a little swamped to take it myself, though.
Ack. Too low priority for me at the moment to spend time on.
Added a workaround enabling automatic updates of the versions in the archetype resource POMs to the issue description.
Thanks for the tip @dmitry-timofeev! I have been using another workaround of just requesting manually that Dependabot examine archetype-resources
subdirectories, though it suffers from the disadvantage that in cases where a given dependency is used in multiple archetypes, Dependabot will file separate PRs for each.
Thanks for sharing @jglick ! I also added to the description, as your approach is easier to implement.
Hi, thanks for the awesome bot!
It would be great if dependabot was able to update pom.xml in Maven archetypes. A Maven archetype works as a template for new projects (e.g., a Spring Boot web application) and contains a template pom.xml, which usually declares some dependencies. As this pom.xml is a template for new projects, it is not a part of a multi-module build definition. Currently dependabot ignores such files, and they must be manually updated.
Workarounds
Properties substitution
<afp.junit.version>${junit.version.that.dependabot.already.updates}</afp.junit.version>
).⚠️ These must reference the properties that dependabot does already update.
<junit.version>${afp.junit.version}</junit.version>
in the resource POM will become<junit.version>5.6.0</junit.version>
)See https://github.com/exonum/exonum-java-binding/pull/1449 for an example patch.
Specifying archetype resource POM in Dependabot config
As shared by @jglick below, it is possible to specify the directories containing the archetype resource POMs as usual POMs.
See an example config.
See also