Published versions and Dependabot

[rkennedy-mode]

Is this a support request?
Yes.

Describe the bug
While investigating a dependabot pull request to upgrade from launchdarkly-client 4.6.0 to 4.61, I've discovered a number of issues with published versions of launchdarkly-client.

1. 4.61 was published in January, but never removed from Maven Central (even though it appears to have been published accidentally in place of 4.6.1): https://search.maven.org/artifact/com.launchdarkly/launchdarkly-client/4.61/jar
2. 4.6.4-4.6.6, 4.7.0, 4.7.1, 4.8.0, 4.8.1, and 4.9.0 have been released on GitHub (https://github.com/launchdarkly/java-server-sdk/releases) but not on Maven Central (https://search.maven.org/search?q=g:com.launchdarkly%20AND%20a:launchdarkly-client&core=gav)

To reproduce
Not entirely sure, but it's possible if you have a dependabot-managed repository with a 4.6.0 dependency that dependabot will still see 4.61 and get stuck trying to upgrade you to that version.

Expected behavior
4.61 probably needs to be removed from Maven Central. I have no idea at the moment how to un-stick dependabot without having it stop managing launchdarkly-client altogether until 5.x is released.

Logs
None.

SDK version
4.6.0…for now.

Language version, developer tools
Java.

OS/platform
Ubuntu/MacOS.

Additional context
That's it.

[bwoskow-ld]

Hi @rkennedy-mode,

Thanks for reaching out and asking about our releases. There are a couple of issues going on here.

1. Your assessment about 4.61 is correct -- this was an erroneous release. It was intended to be released as 4.6.1 and unfortunately the release process fully completed before we realized the mistake. 4.61 is logically equivalent to 4.6.1 other than the version string. We haven't removed 4.61 from Maven Central because doing so is generally frowned upon as some developers may already be using that version and removing it would break their builds -- even though, as we've both pointed out, they shouldn't be using it in the first place. Generally speaking, once an artifact reaches Maven Central, it is best to leave it there.

2. 4.61 is the "latest" launchdarkly-client version per semantic versioning, however, we no longer release artifacts by that id. As of 4.6.4 we renamed the artifact id from launchdarkly-client to launchdarkly-java-server-sdk. You can read more about this change and see it in the 4.6.4 changelog. One nice side effect of this artifact id change is that we're no longer tied to having to deal with the erroneous 4.61 version! You can see in Maven Central that 4.9.0 is the latest release for launchdarkly-java-server-sdk.

All in all, if you update from com.launchdarkly:launchdarkly-client:4.6.0 to com.launchdarkly:launchdarkly-java-server-sdk:4.9.0, you should be good to go. I'm going to go ahead and close this issue now, but let me know if you have any further questions on the matter.

Cheers,
Ben

[rkennedy-mode]

Ah, excellent. I hadn't noticed that the artifact ID had changed, which explains why I wasn't seeing newer versions in Maven Central. Thanks!