Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(maven): Disable all parent packages by default #25823

Merged
merged 2 commits into from
Nov 15, 2023

Conversation

zharinov
Copy link
Collaborator

Changes

In most cases (if not all), parent POM is used to define some common variables and isn't published to Maven.

This PR fixes lookups for 2 and more levels of POM parent files.

Context

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

Copy link
Member

@viceice viceice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so if required a user can enable if required?

@zharinov
Copy link
Collaborator Author

Yes, it's optional and can be reverted to current behavior

@zharinov
Copy link
Collaborator Author

But I think in reality nobody will want it

@viceice viceice added this pull request to the merge queue Nov 15, 2023
Merged via the queue into renovatebot:main with commit 5c3eade Nov 15, 2023
36 checks passed
@viceice viceice deleted the fix/maven-mark-all-parent-deps branch November 15, 2023 22:05
@Churro
Copy link
Collaborator

Churro commented Nov 15, 2023

May I ask why the solution suggested in #25758 (reply in thread) wouldn't be enough to solve this?

Disabling updates for all deps with depType = "parent" will also prevent updates to regular deps that are not locally defined. An example for this can be found in the reproduction repo:

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.6.2</version>
    </parent>

With this PR merged, this dep won't see updates anymore, unless the workaround is disabled.

@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 37.60.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@zharinov
Copy link
Collaborator Author

Your solution is correct, maybe if these two presets work for everyone, we later could just remove parent-root dependency type and prevent lookups for all parent deps.

@zharinov
Copy link
Collaborator Author

Oh, I see actually some packages publish their parent POMs

@zharinov
Copy link
Collaborator Author

zharinov commented Nov 15, 2023

@Churro Now I'm not sure I understand your solution. The if-clause you propose to remove makes depType = "parent-root" from those deps which are already marked as parents. My premise is that parent packages generally aren't used outside of monorepo, so we don't need to lookup them. But in the monorepo itself, while they're being used in children POMs, we can't use those versions which are published in Maven. Therefore, both parent and parent-root could be safely disabled.

@Churro
Copy link
Collaborator

Churro commented Nov 15, 2023

@zharinov, Yes, making them all parent-root also seemed a bit fishy to me and I agree that we wouldn't want to look up dependencies if they are defined locally in parent POMs.

For others that are not locally defined, such as spring-boot-starter-parent in the example above, shouldn't it still be possible to receive updates out-of-the box? This seems to be a very frequent use-case in practice, see here.

Perhaps I'm overlooking something but isn't the root cause that the maven manager impl doesn't properly distinguish between locally and remotely defined parent POMs? It caused org.owasp.webgoat.lesson:webgoat-lessons-parent to be looked up, even though it was defined locally. This PR now disabled updates for any parent deps, regardless of where they are defined.

@breun
Copy link

breun commented Nov 15, 2023

If @Churro is correct that remotely defined parent POMs are now ignored by default, then I can think of many projects that will no longer get their application frameworks updated by Renovate, indeed like application that use Spring Boot for instance, because those applications generally use a framework artifact as the parent to inherit Maven plugin configuration, dependency management, etc. These parents will come typically come from a remote Maven repository. Ignoring parent updates by default sounds like a bad idea to me.

zharinov added a commit to zharinov/renovate that referenced this pull request Nov 16, 2023
@zharinov
Copy link
Collaborator Author

Now I think maybe we need to disable only known set of packages which are generating error messages

@zharinov
Copy link
Collaborator Author

@rarkins What do you think, should we stick to more targeted solution: #18117 (comment)?

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants