Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spock's versioning confuses Dependabot #1697

Open
britter opened this issue Jun 11, 2023 · 3 comments
Open

Spock's versioning confuses Dependabot #1697

britter opened this issue Jun 11, 2023 · 3 comments
Labels
bug

Comments

@britter
Copy link
Contributor

britter commented Jun 11, 2023

Describe the bug

Due to the versioning scheme of Spock 2.x having the Groovy compatibility encoded in the version, Dependabot will always send updates to the groovy-4 variant.

To Reproduce

  1. Create a Gradle project with a dependency to org.spockframework:spock-core:2.1-groovy-3.0
  2. Enable Dependabot and chose gradle as the package-ecosystem
  3. Wait
  4. You will get a PR that tries to update to org.spockframework:spock-core:2.3-groovy-4.0 (or whatever the latest 2.x release is at that time)

Expected behavior

Spockframework should use the classifier portion of the GAV to indicate Groovy compatibility. That way Dependabot can distinguish between the two Groovy variants.

Actual behavior

Spockframework appends the variant information to the version number, which isn't recognized by Dependabot.

Java version

N/A

Buildtool version

N/A

What operating system are you using

Mac

Dependencies

org.spockframework:spock-core:2.1-groovy-3.0

Additional context

No response
@britter britter added the bug label Jun 11, 2023
@Vampire
Copy link
Member

Vampire commented Jun 11, 2023

Dependabot is just one of the many fields this makes problems.
It is for example practically impossible for a Spock plugin to properly depend on Spock due to this.

I also always disliked this encoding in the version.
But encoding the groovy compatibility in the classifier would be even worse, then you do not get the dependencies or always have to have two dependencies.

I still think the proper solution would be to leverage feature variants for this.

@szpak
Copy link
Member

szpak commented Jun 11, 2023
edited
Loading

I had similar issue with Renovate and there it was possible to add some extra rules as a workaround:

packageRules: [
    ...
    {
      matchPackagePrefixes: ["org.spockframework:spock-"],
      matchCurrentVersion: "/-groovy-3\\.0$/",
      allowedVersions: "/-groovy-3\\.0$/"
    },
    {
      matchPackagePrefixes: ["org.spockframework:spock-"],
      matchCurrentVersion: "/-groovy-4\\.0$/",
      allowedVersions: "/-groovy-4\\.0$/"
    },
]

Maybe something similar is also possible with Dependabot?

@britter britter changed the title Spock's versioning confused Dependabot Spock's versioning confuses Dependabot Jun 12, 2023
@bgalek
Copy link

bgalek commented Jun 27, 2023

Got the same problem today, nothing else comes in mind but ignoring Spock in dependabot ;(

@Vampire Vampire mentioned this issue Jul 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@szpak @Vampire @britter @bgalek