dont decrease the version of library having latest version

[umeshbagade]

I know we can keep the versions using pin and keep, but I don't want to decrease the versions of my libraries. Is there any way I can keep latest versions if you can't update them?

Example:- The following dependencies exceed the version found at the milestone revision level:

• some.lib.ref [31.1 <- 23.0]

[hvisser]

In this case you have declared a version that doesn't exist (according to the versions plugin) so the plugin is correcting it to the actual version used in your project. So basically your version definition was never used here.

Are you sure the version you have declared exists?

[hvisser]

Without additional context this seems to work as intended.

[umeshbagade]

In this case you have declared a version that doesn't exist (according to the versions plugin) so the plugin is correcting it to the actual version used in your project. So basically your version definition was never used here.

Are you sure the version you have declared exists?

Yes that version exists, Its the guava library with 31.1.jre version. And this plugin is decreasing the version to 23. I'm using this update to remove CVEs but CVEs exists in older versions

[hvisser]

I suspect this is an issue with the dependency versions plugin (dependencies are not handled by this plugin). You can check the report.json to see what it believes to be the latest version. You can also try to run with --refresh-dependencies to force updating the cache.

If you have a small project that reproduces this I can take a look to verify and see if there's a fix. It's not trivial to determine a "downgrade" because a version could literally be anything. One possibility would be to only warn if the dependency versions plugin reports an exceeded dependency and not do anything.

[hvisser]

Adding com.google.guava:guava:31.1-jre to the version catalog and then running ./gradlew versionCatalogUpdate yields the correct results for me.

Please also check that you didn't disable the dependency versions plugin report.json by mistake. This can lead to stale results. If unsure delete build/dependencyUpdates/report.json and run the plugin again. It should recreate that file.

[emartynov]

I've seen similar (Came to start conversation here and maybe later move to the dependency gradle plugin).

So my cases:

androidx.core:core:1.10.1
androidx.core:core-ktx:1.10.1
androidx.customview:customview:1.2.0-alpha02

Go to:

androidx.core:core:1.8.0
androidx.core:core-ktx:1.2.0
androidx.customview:customview:1.1.0

What is report json says:

   {
    "group": "androidx.core",
    "name": "core",
    "version": "1.8.0",
    "projectUrl": "https://developer.android.com/jetpack/androidx/releases/core#1.10.1",
    "userReason": null
   },
   {
    "group": "androidx.core",
    "name": "core-ktx",
    "version": "1.2.0",
    "projectUrl": "https://developer.android.com/jetpack/androidx/releases/core#1.10.1",
    "userReason": null
   },
   {
    "group": "androidx.customview",
    "name": "customview",
    "version": "1.1.0",
    "projectUrl": "https://developer.android.com/jetpack/androidx",
    "userReason": null
   },
...
   {
    "group": "androidx.customview",
    "name": "customview",
    "version": "1.0.0",
    "projectUrl": "https://developer.android.com/jetpack/androidx",
    "userReason": null,
    "available": {
     "release": null,
     "milestone": "1.1.0",
     "integration": null
    }
...
"exceeded": {
  "count": 2,
  "dependencies": [
   {
    "group": "androidx.core",
    "name": "core",
    "version": "1.10.1",
    "projectUrl": "https://developer.android.com/jetpack/androidx/releases/core#1.10.1",
    "userReason": null,
    "latest": "1.8.0"
   },
   {
    "group": "androidx.core",
    "name": "core-ktx",
    "version": "1.10.1",
    "projectUrl": "https://developer.android.com/jetpack/androidx/releases/core#1.10.1",
    "userReason": null,
    "latest": "1.2.0"
   }
  ]

What I also see in the text report:

 - androidx.customview:customview [1.0.0 -> 1.1.0]
     https://developer.android.com/jetpack/androidx

The following dependencies exceed the version found at the milestone revision level:
 - androidx.core:core [1.10.1 <- 1.8.0]
     https://developer.android.com/jetpack/androidx/releases/core#1.10.1
 - androidx.core:core-ktx [1.10.1 <- 1.2.0]
     https://developer.android.com/jetpack/androidx/releases/core#1.10.1

[hvisser]

Have you tried running with --refresh-dependencies as noted in my comment here https://github.com/littlerobots/version-catalog-update-plugin/issues/116#issuecomment-1642788868 ? Since the dependencies are reported as exceeded this means that they weren't found as valid versions by the dependency versions plugin. Why that is is hard to tell.

I'm not sure if ignoring exceeded would be the right call since the consequence of that might be that you think you are using some not existing version while you are actually on some other version.

[emartynov]

Yeah, I run and have the same effect. I have the next code in gradle:

apply plugin: 'com.github.ben-manes.versions'
apply plugin: 'nl.littlerobots.version-catalog-update'

/**
 * @return true if version is like `1.0-beta2`, `2.0-rc2`, `3.4-alpha05`
 *         false if version is like `3.0`, `4.4-final`, `release-0.6`, `v5.6.0`, `7.0 GA`
 *
 * Source https://github.com/ben-manes/gradle-versions-plugin
 */
def isNonStable = { String version ->
    def stableKeyword = ['RELEASE', 'FINAL', 'GA'].any { it -> version.toUpperCase().contains(it) }
    def regex = /^[0-9,.v-]+(-r)?$/
    return !stableKeyword && !(version ==~ regex)
}

/**
 * Instruct task to exclude non stable versions unless the original one is also unstable
 * This will allow to see updates for alphas and betas, but will not show updates for used stable versions
 *
 * Source https://github.com/ben-manes/gradle-versions-plugin
 */
tasks.named('dependencyUpdates').configure {
    rejectVersionIf {
        isNonStable(it.candidate.version) && !isNonStable(it.currentVersion)
    }
}

versionCatalogUpdate {
    // sort the catalog by key (default is true)
    sortByKey = false
}

Let me go ahead and remove the dependency update configuration and see if it probably changes things.

[emartynov]

Oke, as soon as I removed the dependency update configuration, I got previous changes and alpha/beta versions for many other AndroidX dependencies also.

[hvisser]

Hm I wonder if it's really that since the regex matches the 1.10.1 version just fine and both of your versions are "stable" according to the version rule. In any case, I'm going to close this as this is not really something under the control of this plugin; if dependencies are filtered or not reported then there's not much I can do.

[emartynov]

Thanks, I will create a ticket on the dependency update plugin repo.