search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.73k stars 1.02k forks source link

Java (Gradle) ignoring maven central #3901

Open MarcelCoding opened 3 years ago

MarcelCoding commented 3 years ago

Package ecosystem java Package manager version gradle 7.0.2 Language version java 11 & 16 Manifest location and content prior to update

dependabot.yml content https://github.com/MarcelCoding/luna/blob/main/.github/dependabot.yaml Updated dependency org.springdoc:springdoc-openapi-webflux-ui 1.5.6 What you expected to see, versus what you actually saw As you see maven central is not checked:

updater | INFO <job_161072655> Checking if org.springdoc:springdoc-openapi-webflux-ui 1.5.6 needs updating
  proxy | 2021/06/14 07:35:00 [048] GET https://raw.githubusercontent.com:443/getnova/maven/main/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [048] 404 https://raw.githubusercontent.com:443/getnova/maven/main/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [050] GET https://repo.spring.io:443/release/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [050] 404 https://repo.spring.io:443/release/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [052] GET https://repo.spring.io:443/milestone/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [052] 404 https://repo.spring.io:443/milestone/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [054] GET https://repo.spring.io:443/snapshot/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
  proxy | 2021/06/14 07:35:00 [054] 404 https://repo.spring.io:443/snapshot/org/springdoc/springdoc-openapi-webflux-ui/maven-metadata.xml
updater | INFO <job_161072655> Latest version is 
updater | INFO <job_161072655> Requirements to unlock update_not_possible
updater | INFO <job_161072655> Requirements update strategy 
updater | INFO <job_161072655> No update possible for org.springdoc:springdoc-openapi-webflux-ui 1.5.6

But Maven Central is configured: https://github.com/MarcelCoding/luna/blob/main/build.gradle#L35-L51 Native package manager behavior Gradle is capable to locate packages in maven central. Images of the diff or a link to the PR, issue or logs Logs

🕹 Bonus points: Smallest manifest that reproduces the issue

bmarty commented 2 years ago

Our project is suffering from the same issue I think: https://github.com/vector-im/element-android/issues/5961.

@MarcelCoding did you find a way to workaround the problem?

MarcelCoding commented 2 years ago

Unfortunately not, I could try not using mavenCentral() but like the actual URL maven { url 'https://repo1.maven.org/maven2/' }. Idk why I didn't try that yet...

... it actually worked. I am so stupid.

@bmarty

jeffwidman commented 1 year ago

Ideally we'd parse this out as a special case and translate it to the known maven central URL, but I looked at the commit where you fixed this (https://github.com/MarcelCoding/luna/commit/7e2053bd7872a7ddf964ba676de1649dfde8c749) and it looks like mavenCentral() allows specifying URL excludes, so it gets tricky fast: https://github.com/MarcelCoding/luna/commit/7e2053bd7872a7ddf964ba676de1649dfde8c749#diff-49a96e7eea8a94af862798a45174e6ac43eb4f8b4bd40759b5da63ba31ec3ef7L39-L41

Our current parser for Maven is completely ruby based, and a bit primitive... long term we'd like to move to a native Java-based helper which would allow directly processing code when fetching the packages, but we're unlikely to get to that for a while.

Thankfully the workaround is trivial.