Skip to content

feat(datasource/maven)!: use latest and release values as tags#35515

Merged
rarkins merged 7 commits intomainfrom
feat/35503-maven-tags
Apr 30, 2025
Merged

feat(datasource/maven)!: use latest and release values as tags#35515
rarkins merged 7 commits intomainfrom
feat/35503-maven-tags

Conversation

@rarkins
Copy link
Copy Markdown
Contributor

@rarkins rarkins commented Apr 24, 2025
edited by viceice
Loading

Changes

Uses "latest" and "release" values in maven-metadata.xml as tags if present.

This could have an effect on some exist package lookups because prior to this PR, the Renovate concept of respectLatest was not applicable, whereas now it is.

Context

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@rarkins rarkins requested review from secustor and viceice April 24, 2025 06:53
@rarkins
Copy link
Copy Markdown
Contributor Author

rarkins commented Apr 24, 2025

Because the Maven datasource can use "merge" strategy, we need to think about the implications of this for tags. Different registries may have different latest and release tags. Should we take the highest of the tags if multiple apply?

@rarkins rarkins marked this pull request as draft April 24, 2025 06:54
@rarkins rarkins requested a review from Churro April 24, 2025 07:03
@rarkins rarkins changed the title feat(datasource/maven): use latest and release values as tags feat(datasource/maven)!: use latest and release values as tags Apr 27, 2025
@rarkins rarkins changed the base branch from main to next April 27, 2025 07:46
@rarkins rarkins marked this pull request as ready for review April 27, 2025 07:48
@Churro
Copy link
Copy Markdown
Collaborator

Churro commented Apr 27, 2025

Because the Maven datasource can use "merge" strategy, we need to think about the implications of this for tags. Different registries may have different latest and release tags. Should we take the highest of the tags if multiple apply?

If I read it correctly, maven resolves latest and release by merging metadata from all registries and selecting the value with the most recent lastUpdated timestamp for each tag - not by picking the numerically highest version. If two registries propose different latest values, the one whose metadata has the most recent lastUpdated timestamp for the tag will "win".

The evidence that leads to this conclusion can be found in maven's DefaultVersionResolver.java (ref) for regular deps and DefaultPluginVersionResolver.java (ref) for plugins.

Generally, taking the highest of the tags sounds reasonable to me. In some registries like artifactory it is possible to trigger a rebuild of Maven metadata, so linking the use of latest to other criteria, such as lastUpdated, could actually lead to wrong selections.

@rarkins rarkins added the breaking Breaking change, requires major version bump label Apr 28, 2025
@viceice viceice added this to the v40 milestone Apr 28, 2025
viceice
viceice previously approved these changes Apr 28, 2025
View reviewed changes
@rarkins rarkins changed the base branch from next to main April 28, 2025 08:29
@rarkins rarkins dismissed viceice’s stale review April 28, 2025 08:29

The base branch was changed.

@rarkins rarkins requested a review from viceice April 28, 2025 10:29
viceice
viceice reviewed Apr 28, 2025
View reviewed changes
Comment thread lib/modules/datasource/index.ts Outdated
@rarkins rarkins requested a review from viceice April 28, 2025 18:27
viceice
viceice reviewed Apr 30, 2025
View reviewed changes
Comment thread lib/modules/datasource/index.ts Outdated
Comment thread lib/modules/datasource/index.ts Outdated
Comment thread lib/modules/datasource/index.ts Outdated
@rarkins rarkins requested a review from viceice April 30, 2025 08:06
@rarkins rarkins merged commit 70fb884 into main Apr 30, 2025
40 checks passed
@rarkins rarkins deleted the feat/35503-maven-tags branch April 30, 2025 08:51
@renovate-release
Copy link
Copy Markdown

renovate-release commented Apr 30, 2025

🎉 This PR is included in version 40.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

SuperSandro2000 added a commit to SuperSandro2000/renovate that referenced this pull request May 1, 2025
@SuperSandro2000
Merge remote-tracking branch 'upstream/main' into fix-nix
061d37a 
* upstream/main: (176 commits)
  build(deps): update aws-sdk-js-v3 monorepo (main) (renovatebot#35660)
  chore(deps): update docker/dockerfile docker tag to v1.15.1 (main) (renovatebot#35659)
  fix(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.3 (main) (renovatebot#35657)
  chore: thre -> the (renovatebot#35655)
  chore(deps): update dependency vite to v6.3.4 [security] (main) (renovatebot#35653)
  build(deps): update dependency glob to v11.0.2 (main) (renovatebot#35649)
  fix(memCache): disallow http requests in cache to be mutable (renovatebot#35647)
  fix(gomod): Exclude multi-line `exclude` directives from extraction (renovatebot#35623)
  docs(config options): rewrite `ignoreScripts` (renovatebot#32171)
  chore(deps): update python:3.13 docker digest to 884da97 (main) (renovatebot#35645)
  chore(deps): update python docker tag to v3.13.3 (main) (renovatebot#35276)
  fix(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.2 (main) (renovatebot#35644)
  feat(config)!: validate allowedCommands against post-compiled commands (renovatebot#35564)
  feat(config)!: create new Config Warning issues each time (renovatebot#35565)
  feat(autodiscoverFilter)!: support combined negative matches (renovatebot#34707)
  feat(datasource/maven)!: use latest and release values as tags (renovatebot#35515)
  feat!: require node v22.13 (renovatebot#34524)
  chore(deps): update dependency esbuild to v0.25.3 (main) (renovatebot#35637)
  chore(deps): update python:3.13 docker digest to 19c3e96 (main) (renovatebot#35636)
  feat(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.1 (main) (renovatebot#35632)
  ...
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 31, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@viceice viceice viceice approved these changes

@secustor secustor Awaiting requested review from secustor

@Churro Churro Awaiting requested review from Churro

Assignees

No one assigned

Labels

breaking Breaking change, requires major version bump

Projects

None yet

Milestone

v40

Development

Successfully merging this pull request may close these issues.

Include latest and release tags with Maven datasource results

4 participants

@rarkins @Churro @renovate-release @viceice