Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress Dependabot prompts for *-999999-SNAPSHOT #30

Open
jglick opened this issue Apr 4, 2022 · 4 comments
Open

Suppress Dependabot prompts for *-999999-SNAPSHOT #30

jglick opened this issue Apr 4, 2022 · 4 comments

Comments

@jglick
Copy link
Member

jglick commented Apr 4, 2022

jenkinsci/bom#913, jenkinsci/bom#980. I guess there are two contributing issues:

  • Dependabot’s Maven plugin does not get that *-SNAPSHOT is not a release. This fact is built into Maven core IIRC. Seems like a DB bug.
  • The snapshots repo is even being consulted. I think we could configure DB specifically to use the releases repo rather than public as in the POM. Would be a pain to do that for all DB-enabled repos but if bom is especially affected it would be reasonable.
@basil
Copy link
Member

basil commented Apr 4, 2022

Suppress Dependabot prompts for 999999-SNAPSHOT

Dependabot does not prompt for 999999-SNAPSHOT, 2.13.1-SNAPSHOT, or 0.11.2-SNAPSHOT. It does prompt for 2.13.1-999999-SNAPSHOT and 0.11.2-999999-SNAPSHOT.

These are JEP-229 specific version numbers. I suggest investigating to determine which of the two is the case:

  • These JEP-229 numbers are not considered snapshots by either Maven or Dependabot, in which case an issue should be opened against the JEP-229 documentation or toolchain.
  • These JEP-229 numbers are considered snapshots by Maven but not by Dependabot, in which case an issue should be opened against Dependabot.

In either case it is not appropriate to open an issue against bom, so I am closing this issue.

@basil basil closed this as completed Apr 4, 2022
@jglick jglick changed the title Suppress Dependabot prompts for 999999-SNAPSHOT Suppress Dependabot prompts for *-999999-SNAPSHOT Apr 4, 2022
@jglick
Copy link
Member Author

jglick commented Apr 4, 2022

Dependabot does not prompt for 999999-SNAPSHOT

Interesting—do you know of cases where such versions have been deployed but not offered by DB?

2.13.1-999999-SNAPSHOT etc. are snapshot versions according to Maven semantics, again to my recollection: anything ending in -SNAPSHOT (as well as a more technical pattern used for timestamped snapshots). Such version numbers can arise in the alternate JEP-229 idiom used for library wrapper plugins

<version>${revision}-${changelist}</version>

if you mvn deploy. I cannot think of any particular reason why DB should treat such unremarkable-looking version strings as releases, but who knows.

In either case it is not appropriate to open an issue against bom

Filed just because it is an occasional annoyance that we may be able to work around in this repo, and/or as a tracking issue reminding us to research and file an upstream bug.

@basil
Copy link
Member

basil commented Apr 4, 2022

do you know of cases where such versions have been deployed but not offered by DB?

https://repo.jenkins-ci.org/artifactory/public/org/jenkins-ci/plugins/script-security/999999-SNAPSHOT/

as a tracking issue reminding us to research and file an upstream bug

It is not appropriate to file JEP-229 specific tracking issues in the bom component. Such tracking issues should be filed against the JEP-229 docs or one of the JEP-229 tooling repositories.

@jglick
Copy link
Member Author

jglick commented Apr 4, 2022

Granted. This repository just seemed most likely to be affected, and so the likely locus of any workaround. Anyway, I will try to move it.

@jglick jglick transferred this issue from jenkinsci/bom Apr 4, 2022
@jglick jglick reopened this Apr 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@basil @jglick