use-latest-releases checks transitive dependencies instead of direct dependencies

[AdrienHorgnies]

Given the following pom.xml file :

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.4</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>demo</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

I expected the command :

mvn org.codehaus.mojo:versions-maven-plugin:2.12.0:use-latest-releases -DallowMajorUpdates=false -DgenerateBackupPoms=false

to give the following input :

[INFO] --- versions-maven-plugin:2.12.0:use-latest-releases (default-cli) @ demo ---
[INFO] Minor version changes allowed
[INFO] artifact org.springframework.boot:spring-boot-starter-parent: checking for updates from central

But instead it checks all the following dependencies :

[INFO] --- versions-maven-plugin:2.12.0:use-latest-releases (default-cli) @ demo ---
[INFO] Minor version changes allowed
[INFO] artifact io.netty:netty-transport-sctp: checking for updates from central
[INFO] artifact io.netty:netty-transport-udt: checking for updates from central
[INFO] artifact io.netty:netty-example: checking for updates from central
[INFO] artifact io.netty:netty-all: checking for updates from central
[INFO] artifact io.netty:netty-resolver-dns-classes-macos: checking for updates from central
[INFO] artifact io.netty:netty-resolver-dns-native-macos: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-unix-common: checking for updates from central
[INFO] artifact io.netty:netty-transport-classes-epoll: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-epoll: checking for updates from central
[INFO] artifact io.netty:netty-transport-classes-kqueue: checking for updates from central
[INFO] artifact io.netty:netty-transport-native-kqueue: checking for updates from central
[INFO] artifact io.netty:netty-tcnative-classes: checking for updates from central
[INFO] artifact io.netty:netty-tcnative: checking for updates from central
[INFO] artifact io.netty:netty-tcnative-boringssl-static: checking for updates from central
OUPUT SKIPPED

I believe it's because it checks all the transitive dependencies rather than only the direct dependencies. It's troublesome because on big projects, it's very long. I tried running it the other day, and I gave up after 9 hours of runtime. The next day, I made it run from a server which has a very high bandwidth to our Nexus, and it took 7h30.

I checked the code of UseLatestReleaseMojo.java, and I saw it's calling the method getDependencies. This method returns transitive dependencies. And I don't see any filtering before the call to getNewerVersions, which I guess is doing the slow HTTP queries. I think the code should only fetch the direct dependencies. I can write the PR if I get any feedback.

[andrzejj0]

Are you sure it's because of transitive dependencies rather than because of maven unwrapping the parent POM? I've tested your test case without the parent and noticed no extra dependency retrieval.

[AdrienHorgnies]

I think you're right. But why is it doing so ? I want to upgrade the versions of my project, I cannot upgrade Spring Boot internal's versions. The dependencies of my parent are still transitive dependencies.

[andrzejj0]

The issue is caused by Maven using the dependencyManagement section from parent. This will get resolved when #814 is merged.

Still thinking when/if this issue might be triggered for dependencies. If that would be the case, dependencies would also need to be processed from raw model.