-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump resource-disposer from 0.16 to 0.17 in /bom-weekly #794
Bump resource-disposer from 0.16 to 0.17 in /bom-weekly #794
Conversation
Bumps [resource-disposer](https://github.com/jenkinsci/resource-disposer-plugin) from 0.16 to 0.17. - [Release notes](https://github.com/jenkinsci/resource-disposer-plugin/releases) - [Commits](jenkinsci/resource-disposer-plugin@resource-disposer-0.16...resource-disposer-0.17) --- updated-dependencies: - dependency-name: org.jenkins-ci.plugins:resource-disposer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
I love plugins that have not adopted the unusual release versioning scheme introduced in JEP-229. Dependabot has no problem updating those. |
… at least some of the time. Not so in the case of jenkinsci/jenkins#6054. If there is an instance where Dependabot failed to propose an update to a plugin or component using a traditional (non JEP-229) versioning schema, I am not aware of it. |
@basil okay indicates an issue with the indexer on artifactory for repo.jenkins-ci.org or that antifactory is serving something from a cached version. |
I fail to see any evidence in support of this claim. In contrast, I do see evidence in support of my claim that this has something to do with JEP-229:
|
Dependabot relies on Had plenty of experience with artifactory not being reliably inside the indexed maven-metadata.xml to my claim is from experience with Artifactory in over 4 years on premise. <?xml version="1.0" encoding="UTF-8"?>
<metadata>
<groupId>org.jenkins-ci.main</groupId>
<artifactId>jenkins-test-harness</artifactId>
<versioning>
<latest>1674.v3b8b1441e939</latest>
<release>1674.v3b8b1441e939</release>
<versions>
...
</versions |
Your previous experiences do not necessarily reflect what is happening in this particular instance.
In the case of |
At least when Jenkins CI is restoring maven dependencies it has multiple times been detected that the HTTP content does not match the expected size which turns the builds red. |
I debugged this. As I suspected, @jetersen was incorrect in his theory that this has something to do with Artifactory. As I suspected, this has everything to do with JEP-229. The code in is filtering out some (but not all) JEP-229 versions as prereleases. Which ones? The ones matching these criteria based on a tokenization of runs of successive digits or letters. Note that "a and "b" are among the list. So if a JEP-229 version contains a commit whose hash happens to contain a digit, the letter "a" or "b" and another digit, Dependabot will consider the version a prerelease and disqualify it as a potential update. |
Dependabot's tokenization matches Maven's:
The canonical form of the JEP-229 release version 308.v852b473a2b8c is 308.v-852-beta-473-alpha-2-beta-8-c, which is a Maven prerelease. The canonical form of the JEP-229 version 1107.v5dab75aaccbd is 1107.v-5-dab-75-aaccbd, which is not a Maven prerelease. The design of JEP-229 release versions did not take into account Maven prereleases. Dependabot does, and it doesn't offer them. |
Thanks @basil for checking out dependabot sources and verifying this. Great findings! @jglick perhaps something should be reconsidered? Based on @basil findings. I was not excluding that it could be dependabot. But I have had issues previously with indexer on antifactory not serving the correct versions. Perhaps this is not an issue anymore, been a while since I used antifactory. |
Nice digging! I've created jenkins-infra/jenkins.io#4783 |
Bumps resource-disposer from 0.16 to 0.17.
Release notes
Sourced from resource-disposer's releases.
Commits
c0996bc
[maven-release-plugin] prepare release resource-disposer-0.171e61121
Bump plugin from 4.31 to 4.32b4b87f2
Bump plugin from 4.29 to 4.318808143
Fix deprecation warnings8958286
Bump baseline to 2.235 (#41)59c5762
useAci => useContainerAgentda18485
Update Dependabot configuration2c34ec8
Merge pull request #40 from jenkinsci/dependabot/maven/org.jenkins-ci.plugins...9e07f11
Bump plugin from 4.28 to 4.29ac7c4e9
Merge pull request #39 from jenkinsci/dependabot/maven/org.jenkins-ci.plugins...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)