search

liquidz / antq

Point out your outdated dependencies.
Other
394 stars 22 forks source link

Option to ignore -SNAPSHOT versions? #210

Closed pmonks closed 1 year ago

pmonks commented 1 year ago

Currently antq treats version labels such as -SNAPSHOT and main-SNAPSHOT as being older than any other version (which, to be clear, is consistent with how Maven does it and therefore technically correct). However some Maven artifact repositories (notably jitpack.io) (ab)use such version labels to identify the latest commit in a particular branch; in the case of jitpack, version -SNAPSHOT is the latest commit in the default branch of that GitHub repository, and version branchname-SNAPSHOT is the latest commit in branch branchname.

So while antq is technically correct as per Maven's behaviour, it reports false positives when such versions are in use.

For example I'm currently testing some code that uses spdx/Spdx-Java-Library version master-SNAPSHOT [1], and each time I run antq it reports that this version is out of date compared to v1.1.4 (the last released version published to Maven Central).

It would be great if there were an option in antq (perhaps defaulted to off, so that folks who don't use things like jitpack.io aren't caught by surprise) that allowed such version labels to be ignored (i.e. treated as "newest" in all cases).

[1] Here's the deps.edn, if you'd like to try this out:

{:deps
  {com.github.spdx/Spdx-Java-Library {:mvn/version "master-SNAPSHOT"}}
  :mvn/repos {"jitpack" {:url "https://jitpack.io"}}}
liquidz commented 1 year ago

@pmonks

Currently antq treats version labels such as -SNAPSHOT and main-SNAPSHOT as being older than any other version

This is correct if the comparing version does not contain "-SNAPSHOT", but incorrect if it does.

For example, in the following deps.edn, antq will compare versions containing "-SNAPSHOT" since next.jdbc already has a version containing "-SNAPSHOT".

{:deps {com.github.seancorfield/next.jdbc {:mvn/version "1.3.999-SNAPSHOT"}}}

But antq uses xsc/version-clj for version comparing, and it is based on semantic versioning. So the version "master" is treated as older than others.

(sort version-clj.core/version-compare ["1.0.1" "master-SNAPSHOT" "1.0.2-SNAPSHOT"])
;; => ("master-SNAPSHOT" "1.0.1" "1.0.2-SNAPSHOT")

Thus, for now, we should exclude dependencies that are detected incorrectly.

{:deps {com.github.spdx/Spdx-Java-Library ^:antq/exclude {:mvn/version "master-SNAPSHOT"}}
 :mvn/repos {"jitpack" {:url "https://jitpack.io"}}}
pmonks commented 1 year ago

Oooh thanks - I didn't know about ^:antq/exclude. That'll work great.