Incorrect report with older library versions when newer versions are available in repository #103
Comments
|
Can you provide a trimmed down build script? This could be because a repository has bad metadata (e.g. gradle's plugin portal doesn't update the maven-metadata.xml files after a release) |
|
This could also be a bug in Gradle or the tool that performed the dependency's release. We delegate to Gradle's dependency resolution rather than reinvent it. For example if we look at the metadata for <metadata>
<groupId>asm</groupId>
<artifactId>asm-analysis</artifactId>
<version>1.5.1</version>
<versioning>...</versioning>A properly formed metadata should look something like, <metadata>
<groupId>com.github.ben-manes.caffeine</groupId>
<artifactId>caffeine</artifactId>
<versioning>
<latest>2.3.0</latest>
<release>2.3.0</release>
<versioning>...</versioning>Because The exceeded look fine on Maven Central. If you are using a virtual repository (Sonatype, Artifactory) that proxies then perhaps its returning the metadata from one with stale information. You might want to order the repository list if that's the case. |
|
Thanks for your quick response. Yes, we use Sonatype Nexus. The latest version of junit:junit is 4.12, while the report indicates we are ahead of the latest assuming 4.5 is the latest Relevant snippet from the build script shown below - // Dependency Management |
|
Sorry, I meant a build script that demonstrated the problem that I could run to debug with. I think the problem is due to your Sonatype Nexus repository configuration. If you are using it as your project's repository then it might be returning back the Another possibility is something like #97. In that case a BOM was used to lock the dependency resolution to a specific version. This caused the dependency search to not discover the newer versions because the resolution rule disallowed it. If I run your snippet standalone then the report shows the correct information. This indicates that there is a configuration issue in your build or Nexus repository. apply plugin: 'com.github.ben-manes.versions'
apply plugin: 'java'
buildscript {
repositories {
jcenter()
}
dependencies {
classpath 'com.github.ben-manes:gradle-versions-plugin:0.12.0'
}
}
repositories {
jcenter()
}
ext {
axiom_version = '1.2.13'
junitVersion = '4.11'
}
dependencies {
testCompile "asm:asm-analysis:3.1"
testCompile "asm:asm-util:3.1"
testCompile "junit:junit:${junitVersion}"
compile "org.apache.ws.commons.axiom:axiom-api:$axiom_version"
compile "org.apache.ws.commons.axiom:axiom-impl:$axiom_version"
} |
|
Appreciate your prompt reply, @ben-manes. Per your recommendation, tried out few things.
Searched in the following locations:
Comparing dependency (current: junit:junit:4.11, latest: 4.11) http://repo1.maven.org/maven2/junit/junit/maven-metadata.xml https://internal-repo1/nexus/content/groups/public/junit/junit/maven-metadata.xml
https://internal-repo1/nexus/content/groups/public/commons-resources/commons-resources/maven-metadata.xml http://repo1.maven.org/maven2/commons-resources/commons-resources/maven-metadata.xml Failed to determine the latest version for the following dependencies (use --info for details):
The exception that is the cause of unresolved state: Could not find any matches for commons-services:commons-services:+ as no versions of commons-services:commons-services are available. |
|
It sounds like you probably still have a resolution strategy defined somewhere (maybe a plugin) restricting the versions. I think the I'd first try adding an |
|
You're correct. Having a resolution strategy that forces a specific version of library is causing it. It would be nice to have the plugin generate correct report even though the build script has such resolution strategies. Would it be possible to update the plugin to handle this? |
|
Also, displaying the age of the library version referenced in build script would be quite helpful. For example, our build script references jcs:jcs:1.3, while Maven Central metadata.xml doesn't have 1.3 listed even though https://repo1.maven.org/maven2/jcs/jcs/1.3 is available. In that case, the plugin chose 20030822.182132 as the latest version which is not right. It is indeed 6 months behind 1.3 . Comparing dependency (current: jcs:jcs:1.3, latest: 20030822.182132)
Is there anything that can be done to correct this? I guess we can't have a resolution strategy to ignore such versions because in some instances, there could be versions in that format. |
|
Its messy because how much flexibility we have depends on Gradle's APIs. I didn't want to reinvent the dependency management (parsing poms, querying repositories, etc) and then struggle to stay forward compatible (Gradle added resolution strategies, S3 repositories, etc). Delegating to their APIs makes this plugin fairly trivial, but also limits adding workarounds. The JCS example is a broken release, as I'd expect Maven's version plugin to report the wrong result due to Gradle doesn't let us remove resolution strategies from a configuration. We clone the original, rewrite the dependencies, add our own resolution strategy, and resolve it to capture the versions. Potentially we could use a
I suspect Gradle is struggling to understand the |
|
Confirm this issue. in order to explicitly resolve all conflicts. Outdated dependencies are not detected. |
|
Closing since I don't think there is anything for me to do here. But please re-open if I can help. |
|
Hey @ben-manes , I have exactly the same issue with |
|
Unfortunately, no. The only way to safely apply the user's configuration (e.g. repositories, dependencies) is to use Instead you could conditionally force only if this task isn't on the task graph. This would be something like |
|
Thank you @ben-manes for fast response! I will try out your suggestion. |
Hello!
Below is the snippet of report generated using the plugin, where the latest third party library versions are incorrectly reported.
The following dependencies exceed the version found at the release revision level:
The following dependencies have later release versions:
The text was updated successfully, but these errors were encountered: