It looks like Dependabot is not checking dependencies if the version of the dependency is defined through a property AND the property starts with 'project'.
This is working:
<properties>
<guava.version>28.1-jre</guava.version>
</properties>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
</dependencies>
This is not working:
<properties>
<project.guava.version>28.1-jre</guava.version>
</properties>
<dependencies>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${project.guava.version}</version>
</dependency>
</dependencies>
We created a repository explaining the issue in more detail. There you can have a look at the specific commits and the corresponding outputs of the Dependabot check. You can have a look at it here:
https://github.com/gbtec-ag/dependabot-version-property-issue
A follow up problem is that Dependabot closes the corresponding PR (if one was created) but never opens the PR again after the property is corrected. Means one needs to reopen the PRs by hand (if available).
It looks like Dependabot is not checking dependencies if the version of the dependency is defined through a property AND the property starts with 'project'.
This is working:
This is not working:
We created a repository explaining the issue in more detail. There you can have a look at the specific commits and the corresponding outputs of the Dependabot check. You can have a look at it here:
https://github.com/gbtec-ag/dependabot-version-property-issue
A follow up problem is that Dependabot closes the corresponding PR (if one was created) but never opens the PR again after the property is corrected. Means one needs to reopen the PRs by hand (if available).