use-latest-versions or use-latest-releases changes versions to last version found in local repository, not in remote repo

[Dankur96]

When I use goals "use-latest-versions" or "use-latest-releases" it changes versions of dependencies to the last versions found in local repository (version from maven-metadata-local.xml file in dependency directory). The same situation occurs, when I use "display-dependency-updates" goal, it also checks for versions in local repository first. Is it normal behaviour of this goal or should it always check remote repository for updates?

It can lead to mistakes, for example if you have two projects: 1) core project which contains all "core dependencies" 2) project, which uses these core dependencies In case I change locally version of dependency in core project to the HIGHER version than last version available in remote repository and do "maven install" in core project (what will make maven-metadata-local.xml file and create new dependency in .m2\repository), after using "use-latest-versions" it updates versions to these which has not been released and uploaded to remote repository. That will lead to errors in builds, etc.

What I expect is that "use-latest-versions" or "use-latest-releases" will pull latest versions directly from remote repository and change them in pom.xml file.

Is it normal behaviour of this plugin or some kind of bug?

[pzygielo]

-U

[Dankur96]

"-U" option works only if local repository contain lower version, than remote repo. Otherwise it will not work as expected. As far as I know, -U option is not for forcing maven to check only remote repository, but to force check if remote repository contains higher version.

[jarmoniuk]

Looking into

[jarmoniuk]

The mojo always checks both local as well as all remote repositories. In this it follows the maven-compat library, which it currenty uses. The current maven-core library has the same behaviour in that regard.

In that light, that it follows maven's behaviour, I don't think it's necessarily a bug.

In your particular problem, perhaps the new options, -Dmaven.version.ignore (soon to be renamed to -Dmojohaus.versions.ignore) could be helpful -- you can then exclude some version patterns, e.g. -SNAPSHOTS, from being considered.

See #454

[las66]

I have the same problem. I need to build different versions of the project, so there are a lot of extra versions of dependencies locally. -Dmaven.version.ignore won't help here. I only need to check versions on the remote repository each time.

So far, the only workaround I've found is to first remove all versions of the dependencies I need from the local repository, and then use use-latest-versions.

But I don't like this way. Is there a normal way to scan versions of a remote repository only?

[jarmoniuk]

So basically something to be able to provide rules to disable repositories (here: local repo), but via command line, e.g. using user properties?

[las66]

Yes

[slawekjaranowski]

Now we use new Resolver API - we can check if we can provide a null or empty local repository for versions resolving.

[github-actions[bot]]

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 30 days.