fix: check versions across all the defined maven registries

[yeikel]

What are you trying to accomplish?

When checking for new versions, we shouldn’t assume that the first repository to respond has the latest version, as it might return a stale one. Instead, Dependabot should scan all repositories, aggregate all available metadata for an artifact, and select the highest version available across them

This behavior was introduced with #5872 in order to reduce the network load, and while the following is true while resolving

Remote repository URLs are queried in the following order for artifacts until one returns a valid result

This does not directly translate while looking for new versions as documented in the spec.

For more details, see #5872 (comment)

Fixes #9383

How will you know you've accomplished your goal?

Running the updated version using my reproducer works as expected

See: https://github.com/yeikel/dependabot-reproducer-9383

Current

updater | 2025/12/10 06:13:56 INFO Latest version is 0.11.0-sshd-314-1
updater | 2025/12/10 06:13:56 INFO No update needed for org.apache.sshd:sshd-core 2.11.0
{"data":{"base-commit-sha":"6dbf65dc2b7a652b60054518953e70fe2a9fa21e"},"type":"mark_as_processed"}
proxy | 2025/12/10 06:13:56 [023] PATCH http://host.docker.internal:57186/update_jobs/cli/mark_as_processed
proxy | 2025/12/10 06:13:56 [023] 200 http://host.docker.internal:57186/update_jobs/cli/mark_as_processed
updater | 2025/12/10 06:13:56 INFO Finished job processing
proxy | 2025/12/10 06:13:56 Skipping sending metrics because api endpoint is empty
proxy | 2025/12/10 06:13:56 0/10 calls cached (0%)

After:

updater | 2025/12/10 06:19:56 INFO Latest version is 2.16.0
{"data":{"base-commit-sha":"6dbf65dc2b7a652b60054518953e70fe2a9fa21e"},"type":"mark_as_processed"}
proxy | 2025/12/10 06:20:00 [062] PATCH http://host.docker.internal:57437/update_jobs/cli/mark_as_processed
proxy | 2025/12/10 06:20:00 [062] 200 http://host.docker.internal:57437/update_jobs/cli/mark_as_processed
updater | 2025/12/10 06:20:00 INFO Finished job processing
updater | 2025/12/10 06:20:00 INFO Results:
updater | +---------------------------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+-----------------------------------------------------+
updater | | created | org.apache.sshd:sshd-core ( from 2.11.0 to 2.16.0 ) |
updater | +---------+-----------------------------------------------------+
proxy | 2025/12/10 06:20:00 Skipping sending metrics because api endpoint is empty
proxy | 2025/12/10 06:20:00 4/29 calls cached (13%)

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[yeikel]

@kbukum1

Could you please review this and share your feedback if any?

Thank you in advance!

[Copilot]

Pull request overview

This PR fixes Maven version checking to scan all configured repositories instead of stopping at the first repository that responds. Previously, Dependabot would break after finding versions in the first repository, potentially missing newer versions available in other repositories. The fix ensures the highest version across all repositories is correctly identified.

Key changes:

• Modified version collection logic to aggregate results from all repositories
• Added test coverage for multi-repository scenarios
• Updated test expectations to reflect correct behavior when versions exist in multiple repositories

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
maven/lib/dependabot/maven/package/package_details_fetcher.rb	Removed break statement to continue collecting versions from all repositories instead of stopping at the first
maven/spec/fixtures/maven_central_metadata/with_release_older_version.xml	Added fixture representing a repository with older versions to test cross-repository version comparison
maven/spec/dependabot/maven/update_checker/version_finder_spec.rb	Added test case validating that all repositories are checked and the highest version is selected; updated existing test expectations to reflect corrected source_url behavior

[yeikel]

@kbukum1

Could you please clarify what's blocking this merge? Do you need any additional information, reproducer or tests?

Thanks