Changes to how Dependabot handles Maven versions

[jonjanego]

Hi Dependabot community. We wanted to let you know about some changes we are making to how we support Maven, and the impact that these changes could have on your projects.

Across Dependabot as a whole, we have been aiming to take a more consistent approach with how we determine precedence among versions. We have started by implementing a change in Dependabot common to follow semantic versioning for ecosystems that have no defined version standards, and are now moving toward implementing changes for specific ecosystems.

After undertaking an audit of the versioning behavior In Maven, we are making changes to Dependabot to follow the Maven version specification so that we determine precedence in a manner consistent with how Maven itself behaves when building a project. This will result in us no longer supporting the following version definitions for dependencies in Maven projects:

Dynamic versioning

We have previously allowed Dependabot to recognize dynamic versioning ranges in a Maven pom file, by supporting use of the + character. This is not an official part of the Maven specification and we will cease its support. The + character will be treated like a normal alphanumeric character, instead of a dynamic version range.

Prerelease qualifiers

We are no longer supporting dev, pre, and pr as prerelease qualifiers, which are not part of the official Maven specification. Maven instead recommends using: alpha, beta, milestone, rc, cr and snapshot.

If your Maven projects define versions using these patterns, you may begin encountering malformed version errors in your Dependabot jobs. To resolve these errors, please update your dependency definitions to follow the Maven version specification. Maven also includes a version testing tool you can use to evaluate your project’s behavior.

Please let us know in the discussion comments below if you have any questions!

[jamezp]

First of all, I'd just like to thank dependabot for making our lives easier in a lot of ways :)

We've notice a few weird issues with what I suspect is the version ordering. One example is wildfly/wildfly#18242 where it changed a SNAPSHOT down to a beta.

Another odd one is downgrading a dependency, see the first commit from dependabot in https://github.com/wildfly/wildfly/pull/18219/commits.

Lastly there appears to be a duplicate upgrade PR wildfly/wildfly#18244 and wildfly/wildfly#18238.

I've opted to post this here instead of creating an issue, but if an issue is preferred please let me know.

[jonjanego]

Hi @jamezp -- thanks for reaching out! If you can create an issue (or even better -- 3 separate, as they are 3 separate problems) - it'd help us triage and figure out what went wrong here. Thanks!

[jamezp]

Thank you for the quick response and done :)

• Maven downgrading a SNAPSHOT dependency from a *.Final-SNAPSHOT to a *.Beta1 #10668
• Maven downgrading a dependency in one POM which really is an upgrade in another POM #10669
• Maven dependabot opened two PR's for the same upgrade #10670

If any of these need more detail don't hesitate to ask.

[sultan]

The Dependabot team has decided to align strictly with Maven qualifiers:

• Changes to how Dependabot handles Maven versions #10626

This alignment makes sense for consistency across tools. Yet recurring issues show that Maven’s current handling of qualifiers is incomplete, impacting multiple companies and users:

• [MNG-7559] ComparableVersion vs versions with custom qualifiers apache/maven#8891
• fix: mark version with "preview" extension as pre-release (#6151) #6747
• Treat -pre version suffix as prerelease. #10207

These issues need to be addressed upstream in Maven Resolver. I am working to encourage Maven to adopt a fix through this PR:

• [MNG-7559] Fix version comparison with case insensitive lexical order apache/maven-resolver#1683

The voice of users and teams such as Dependabot can strongly influence Maven’s willingness to integrate this into Maven 4.

Proposed ordering:

• alpha < beta < milestone < pr = pre = preview < rc = cr < dev < snapshot < final = ga = release < sp

I edited the documentation to discourage the use of certain qualifiers:

• The use of pr, pre, preview is discouraged
• The use of cr is discouraged (use rc instead)
• The use of dev is discouraged
• The use of final, ga, release is discouraged (use no qualifier instead)
• The use of sp is discouraged (increment patch version instead)

As long as discouraged qualifiers continue to be used in practice, tools will still need to support them. Once they are phased out, however, support can be safely dropped.

Optional inclusions:

• ea (early access), edr, pfd (drafts), mr

Target PR to support:

• [MNG-7559] Fix version comparison with case insensitive lexical order apache/maven-resolver#1683

Supporting this upstream effort helps turn recurring patches into a durable solution for the ecosystem. You can help by adding your voice on the Maven Resolver PR — for example, by sharing which qualifiers affect your projects, or by confirming that consistent ordering would reduce the need for local workarounds. Demonstrating real impact from tools like Dependabot makes it harder for Maven to ignore these changes.

Thanks for your input.