Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Versions Maven Plugin not showing latest plugins available with ignores. #959

Closed
garretwilson opened this issue May 20, 2023 · 108 comments
Closed
Labels
Milestone

Comments

@garretwilson
Copy link

garretwilson commented May 20, 2023

On Windows 10 with Maven 3.9.1 I upgraded to org.codehaus.mojo:versions-maven-plugin:2.15.0.

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>versions-maven-plugin</artifactId>
  <version>2.15.0</version>
</plugin>

I wanted to see what plugins were out of date, so I ran:

mvn versions:display-plugin-updates

It shows this:

[INFO] The following plugin updates are available:
[INFO]   maven-failsafe-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO]   maven-release-plugin ............................ 2.5.3 -> 3.0.0-M6
[INFO]   maven-site-plugin .............................. 3.12.1 -> 4.0.0-M3
[INFO]   maven-surefire-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.0.5

So I added ignores for milestone releases as discussed in #684 and originally in #258:

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>versions-maven-plugin</artifactId>
  <version>2.15.0</version>
  <configuration>
    <ruleSet>
      <ignoreVersions>
        <ignoreVersion><type>regex</type><version>.*-SNAPSHOT</version></ignoreVersion>
        <ignoreVersion><type>regex</type><version>.*-alpha(?:-?\d+)?</version></ignoreVersion>
        <ignoreVersion><type>regex</type><version>.*-beta(?:-?\d+)?</version></ignoreVersion>
        <ignoreVersion><type>regex</type><version>.*-M(?:-?\d+)?</version></ignoreVersion>
        <ignoreVersion><type>regex</type><version>.*-RC(?:-?\d+)?</version></ignoreVersion>
        <ignoreVersion><type>regex</type><version>.*-pfd(?:-?\d+)?</version></ignoreVersion>
      </ignoreVersions>
    </ruleSet>
  </configuration>
</plugin>

Now when I run mvn versions:display-plugin-updates it gives me:

[INFO] No plugins require a newer version of Maven than specified by the pom.

This is wrong on several counts. org.apache.maven.plugins:maven-failsafe-plugin for example has v3.0.0 and 3.1.0 available—two versions released after the current version.

And the bug apparently has nothing to do with ignoring the *-M* versions, because it even skipped Spring Boot Maven Plugin, which is currently at v3.1.0.

This would appear critically broken, in that it does not show new versions, which is the essential function of this goal.

Or did I get the regular expressions wrong somehow? (I think they can be simplified a bit; I was starting from those in a Stack Overflow answer. But in any case I don't see how these regular expressions would be hiding versions in the form 3.0.5.)

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 20, 2023

Can't reproduce.

Using version 2.15.0 with a minimal pom.xml with the failsafe plugin and the rule set you provided:

<build>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>versions-maven-plugin</artifactId>
        <version>2.15.0</version>
        <executions>
          <execution>
            <id>run</id>
            <phase>validate</phase>
            <goals>
              <goal>display-plugin-updates</goal>
            </goals>
            <configuration>
              <ruleSet>
                <ignoreVersions>
                  <ignoreVersion><type>regex</type><version>.*-SNAPSHOT</version></ignoreVersion>
                  <ignoreVersion><type>regex</type><version>.*-alpha(?:-?\d+)?</version></ignoreVersion>
                  <ignoreVersion><type>regex</type><version>.*-beta(?:-?\d+)?</version></ignoreVersion>
                  <ignoreVersion><type>regex</type><version>.*-M(?:-?\d+)?</version></ignoreVersion>
                  <ignoreVersion><type>regex</type><version>.*-RC(?:-?\d+)?</version></ignoreVersion>
                  <ignoreVersion><type>regex</type><version>.*-pfd(?:-?\d+)?</version></ignoreVersion>
                </ignoreVersions>
              </ruleSet>
            </configuration>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-failsafe-plugin</artifactId>
        <version>2.22.2</version>
      </plugin>
    </plugins>
  </build>
[DEBUG] Version 3.0.0-M1 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M2 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M3 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M4 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M5 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M6 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M7 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M8 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] Version 3.0.0-M9 for artifact org.apache.maven.plugins:maven-failsafe-plugin found on ignore list: .*-M(?:-?\d+)? (regex)
[DEBUG] [org.apache.maven.plugins:maven-failsafe-plugin].version=2.22.2
[DEBUG] [org.apache.maven.plugins:maven-failsafe-plugin].artifactVersion=3.1.0
[DEBUG] [org.apache.maven.plugins:maven-failsafe-plugin].effectiveVersion=2.22.2
[DEBUG] [org.apache.maven.plugins:maven-failsafe-plugin].specified=true
[DEBUG] Checking org.codehaus.mojo:versions-maven-plugin for updates newer than 2.15.0
[DEBUG] Found ignored versions: .*-SNAPSHOT (regex), .*-alpha(?:-?\d+)? (regex), .*-beta(?:-?\d+)? (regex), .*-M(?:-?\d+)? (regex), .*-RC(?:-?\d+)? (regex), .*-pfd(?:-?\d+)? (regex)

and further:

[DEBUG] [org.codehaus.mojo:versions-maven-plugin].version=2.15.0
[DEBUG] [org.codehaus.mojo:versions-maven-plugin].artifactVersion=2.15.0
[DEBUG] [org.codehaus.mojo:versions-maven-plugin].effectiveVersion=2.15.0
[DEBUG] [org.codehaus.mojo:versions-maven-plugin].specified=true
[INFO] 
[INFO] The following plugin updates are available:
[INFO]   maven-failsafe-plugin ............................. 2.22.2 -> 3.1.0
[INFO] 
[INFO] All plugins have a version specified.
[INFO] 
[DEBUG] MinimalMavenBuildVersionFinder: No maven-enforcer-plugin used
[WARNING] Project does not define minimum Maven version required for build, default is: 3.2.5
[INFO] Plugins require minimum Maven version of: 3.2.5

So, feel free to provide a pom.xml or a debug log or anything that would help reproduce this.

@garretwilson
Copy link
Author

garretwilson commented May 20, 2023

So, feel free to provide a pom.xml or a debug log or anything that would help reproducing this.

Sure. Use this pom.xml. It's the exact POM I'm using except that I had advanced the overall POM version to the next -SNAPSHOT version (which should have no influence on this issue).

@andrzejj0
Copy link
Contributor

Otherwise, you're free to contribute.

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 20, 2023

Without any rules, it will show upgrades to 3.1.0 etc.

  globalmentor-root git:(main) mvn org.codehaus.mojo:versions-maven-plugin:2.15.0:display-plugin-updates

will give

[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO] 
[INFO] -----------------< com.globalmentor:globalmentor-root >-----------------
[INFO] Building GlobalMentor Root 0.8.15
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- versions:2.15.0:display-plugin-updates (default-cli) @ globalmentor-root ---
[INFO] 
[INFO] The following plugin updates are available:
[INFO]   com.akathist.maven.plugins.launch4j:launch4j-maven-plugin  2.1.3 -> 2.4.1
[INFO]   maven-assembly-plugin .............................. 3.4.2 -> 3.6.0
[INFO]   maven-compiler-plugin ............................ 3.10.1 -> 3.11.0
[INFO]   maven-dependency-plugin ............................ 3.3.0 -> 3.5.0
[INFO]   maven-deploy-plugin ................................ 3.0.0 -> 3.1.1
[INFO]   maven-enforcer-plugin .............................. 3.1.0 -> 3.3.0
[INFO]   maven-failsafe-plugin ............................. 2.22.2 -> 3.1.0
[INFO]   maven-install-plugin ............................... 3.0.1 -> 3.1.1
[INFO]   maven-jar-plugin ................................... 3.2.2 -> 3.3.0
[INFO]   maven-release-plugin ............................... 2.5.3 -> 3.0.0
[INFO]   maven-resources-plugin ............................. 3.3.0 -> 3.3.1
[INFO]   maven-site-plugin .............................. 3.12.1 -> 4.0.0-M8
[INFO]   maven-surefire-plugin ............................. 2.22.2 -> 3.1.0
[INFO]   org.codehaus.mojo:build-helper-maven-plugin ........ 3.3.0 -> 3.4.0
[INFO]   org.codehaus.mojo:versions-maven-plugin .......... 2.12.0 -> 2.15.0
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.1.0
[INFO] 
[INFO] All plugins have a version specified.
[INFO] 
[INFO] Project requires minimum Maven version for build of: 3.5.0
[INFO] Plugins require minimum Maven version of: 3.2.5
[INFO] 
[INFO] No plugins require a newer version of Maven than specified by the pom.
[INFO] 
[INFO] Require Maven 3.6.3 to use the following plugin updates:
[INFO]   maven-help-plugin .................................. 3.3.0 -> 3.4.0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.787 s
[INFO] Finished at: 2023-05-20T19:28:09+02:00
[INFO] ------------------------------------------------------------------------

@garretwilson
Copy link
Author

You also mentioned:

        <executions>
          <execution>
            <id>run</id>
            <phase>validate</phase>
            <goals>
              <goal>display-plugin-updates</goal>
            </goals>

Just a note: this may or may not make a difference, but please note that in my report I am not tying check to any lifecycle. I am invoking it from the command line. (This is essential for my use case.)

You should be able to simply take the POM I linked to and run the Bash/PowerShell command I mentioned. Then add the exact configuration I provided to the POM with no further changes.

@garretwilson
Copy link
Author

Without any rules, it will show upgrades to 3.1.0 etc.

Yes. 👍

The whole point of of this ticket is that by adding ignore rules for e.g. milestones, it will also, incorrectly and erroneously, ignore valid, non-ignored versions.

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 20, 2023

Well, the phase is there so that I can then invoke it using validate. This does not influence anything.

Please read the output of the command line invocation above.

And with a set of ignored versions:

mvn org.codehaus.mojo:versions-maven-plugin:2.15.0:display-plugin-updates -Dmaven.version.ignore=1\.0\.1,.+-M.
[INFO] --- versions:2.15.0:display-plugin-updates (default-cli) @ globalmentor-root ---
[INFO] 
[INFO] The following plugin updates are available:
[INFO]   com.akathist.maven.plugins.launch4j:launch4j-maven-plugin  2.1.3 -> 2.4.1
[INFO]   maven-assembly-plugin .............................. 3.4.2 -> 3.6.0
[INFO]   maven-compiler-plugin ............................ 3.10.1 -> 3.11.0
[INFO]   maven-dependency-plugin ............................ 3.3.0 -> 3.5.0
[INFO]   maven-deploy-plugin ................................ 3.0.0 -> 3.1.1
[INFO]   maven-enforcer-plugin .............................. 3.1.0 -> 3.3.0
[INFO]   maven-failsafe-plugin ............................. 2.22.2 -> 3.1.0
[INFO]   maven-install-plugin ............................... 3.0.1 -> 3.1.1
[INFO]   maven-jar-plugin ................................... 3.2.2 -> 3.3.0
[INFO]   maven-release-plugin ............................... 2.5.3 -> 3.0.0
[INFO]   maven-resources-plugin ............................. 3.3.0 -> 3.3.1
[INFO]   maven-surefire-plugin ............................. 2.22.2 -> 3.1.0
[INFO]   org.codehaus.mojo:build-helper-maven-plugin ........ 3.3.0 -> 3.4.0
[INFO]   org.codehaus.mojo:versions-maven-plugin .......... 2.12.0 -> 2.15.0
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.1.0
[INFO] 
[INFO] All plugins have a version specified.
[INFO] 
[INFO] Project requires minimum Maven version for build of: 3.5.0
[INFO] Plugins require minimum Maven version of: 3.2.5
[INFO] 
[INFO] No plugins require a newer version of Maven than specified by the pom.
[INFO] 
[INFO] Require Maven 3.6.3 to use the following plugin updates:
[INFO]   maven-help-plugin .................................. 3.3.0 -> 3.4.0

@garretwilson
Copy link
Author

Oh, @ajarmoniuk , could it be that I looked at the wrong section of my output? (It was several screens-ful.)

I saw:

[INFO] No plugins require a newer version of Maven than specified by the pom.

But now I see that this is saying that no plugins require a newer version of Maven, not that no plugins have updates.

It may be that I didn't see the list scrolled up above it.

I'm late for a meeting right now, but give me two or three hours and I'll double-check this. I appreciate your quick reply. It's possible that this is my mistake, looking at the wrong output. I'll reply back after my meeting.

@garretwilson
Copy link
Author

garretwilson commented May 20, 2023

@ajarmoniuk I was hoping that I had just made a mistake and looked at the wrong section of the output. Unfortunately I'm still seeing what I initially reported in this ticket, and I cannot reproduce the output you have.

Here is the exact POM I am testing against:

https://bitbucket.org/globalmentor/globalmentor-root/src/04937a60d6278f781840d510ce929e1a2a82c560/pom.xml?at=issues%2FJAVA-241

Please note that I am using Apache Maven 3.9.1 (2e178502fcdbffc201671fb2537d0cb4b4cc58f8).

Here is the exact command I'm running, using Git for Windows Bash (or with PowerShell):

mvn versions:display-plugin-updates

Here is my output:

[INFO] Scanning for projects...
[INFO] Inspecting build with total of 1 modules...
[INFO] Installing Nexus Staging features:
[INFO]   ... total of 1 executions of maven-deploy-plugin replaced with nexus-staging-maven-plugin
[INFO]
[INFO] -----------------< com.globalmentor:globalmentor-root >-----------------
[INFO] Building GlobalMentor Root 0.8.16-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- versions:2.15.0:display-plugin-updates (default-cli) @ globalmentor-root ---
[INFO]
[INFO] The following plugin updates are available:
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.0.5
[INFO]
[INFO] All plugins have a version specified.
[INFO]
[INFO] Project requires minimum Maven version for build of: 3.5.0
[INFO] Plugins require minimum Maven version of: 3.2.5
[INFO]
[INFO] No plugins require a newer version of Maven than specified by the pom.
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
…

Here is the only plugin it says needs updating:

[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.0.5

But something stranger is going on. You'll note that in your output, it shows that the latest version for org.springframework.boot:spring-boot-maven-plugin is v3.1.0, which is correct. But for me it is showing v3.0.5, whether nor not I add ignoreVersion to the configuration!

In addition I see that your output includes things like com.akathist.maven.plugins.launch4j:launch4j-maven-plugin 2.1.3 -> 2.4.1 which is correct, but I don't see that output whether I have ignoreVersion added or not.

It's as if my machine is stuck connected to an old version of Maven Central. It's unclear whether this is a plugin bug; it seems to be related to what information my machine is getting from Maven Central. Can you help me with any hints of what might be happening?

@garretwilson
Copy link
Author

@ajarmoniuk , where does the Version Maven Plugin get its information from, and how does it cache the results? Does it rely on some version in Maven's cache? Does it keep its own cache? Does it always query the information each time, bypassing any cache?

@garretwilson
Copy link
Author

garretwilson commented May 20, 2023

I tried running this with Maven 3.9.2. Maven tells me there are validation problems with org.codehaus.mojo:versions-maven-plugin:2.15.0. I run with -Dmaven.plugin.validation=VERBOSE, and it tells me:

[WARNING] Plugin validation issues were detected in 1 plugin(s)
[WARNING]
[WARNING]  * org.codehaus.mojo:versions-maven-plugin:2.15.0
[WARNING]   Declared at location(s):
[WARNING]    * unknown
[WARNING]   Used in module(s):
[WARNING]    * com.globalmentor:globalmentor-root:0.8.16-SNAPSHOT (pom.xml)
[WARNING]   Plugin issue(s):
[WARNING]    * Plugin depends on plexus-container-default, which is EOL

It also tells me:

If no upgrade available, please notify plugin maintainers about reported issues.

I'll check to see if there is a separate issue for that already. I hope I don't get a warning each time I use the plugin after upgrading to Maven 3.9.2. But for this current issue, I wonder if using this end-of-life plexus-container-default plugin could have anything to do with the latest versions not showing up when running on my machine? (I don't know that it does—I'm just asking. I'm trying to find out what's causes this, and so far there are few leads.)

In any case, Maven 3.9.2 gives me the same outdated output.

@garretwilson
Copy link
Author

garretwilson commented May 21, 2023

@ajarmoniuk your output had DEBUG in it, which gave me an idea: I ran Maven with the -X option, and here is part of my result:

…
[DEBUG] Checking com.akathist.maven.plugins.launch4j:launch4j-maven-plugin for updates newer than 2.1.3
[DEBUG] Could not find metadata com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml in local (C:\Users\user\.m2\repository)
[DEBUG] Skipped remote request for com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml, locally cached metadata up-to-date
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].version=2.1.3
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].artifactVersion=2.1.2
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].effectiveVersion=2.1.3
[DEBUG] [com.akathist.maven.plugins.launch4j:launch4j-maven-plugin].specified=true
…

As I mentioned above, your output includes com.akathist.maven.plugins.launch4j:launch4j-maven-plugin 2.1.3 -> 2.4.1, while mine does not. So Maven wasn't seeing that com.akathist.maven.plugins.launch4j:launch4j-maven-plugin:2.1.3 needed updating. This debug information seems to be saying that it can't find C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\maven-metadata.xml. And in fact that file does not exist! Instead I have C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\maven-metadata-central.xml. I wonder what the difference is? I can't really find information about this online.

But the more ominous line is this one:

[DEBUG] Skipped remote request for com.akathist.maven.plugins.launch4j:launch4j-maven-plugin/maven-metadata.xml, locally cached metadata up-to-date

Why does it think that the local metadata is up-to-date? As mentioned there is no C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\maven-metadata.xml file, so I don't know what it's talking about. However the maven-metadata-central.xml file contains <lastUpdated>20210818055556</lastUpdated>, and https://www.epochconverter.com/ tells me that this date is… Saturday, June 16, 2610 12:07:35.556 PM! 😮

Oh, my … what has screwed up the timestamps in my local Maven repository? Could it have been a plugin? Or Eclipse m2e? (I'm using Eclipse EE 2023-03.)

There are several confusing things for C:\Users\user\.m2\repository\com\akathist\maven\plugins\launch4j\launch4j-maven-plugin\:

  • The checksum in maven-metadata-central.xml.sha1 matches the SHA-1 hash of maven-metadata-central.xml. But the file timestamp on maven-metadata-central.xml is almost a month later (2022-10-02) than that of maven-metadata-central.xml.sha1 (2022-09-08).
  • The <lastUpdated>20210818055556</lastUpdated> inside maven-metadata-central.xml, as mentioned above, indicates 2610-06-16.
  • The resolver-status.properties file timestamp is identical to that of maven-metadata-central.xml.sha1, so they were apparently modified at the same time. The comments inside resolver-status.properties also say it was modified on 2022-09-08, and the central.maven-metadata-central.xml.lastUpdated=1662676475074 inside the file also seems to say that Maven Central was checked on that date.

OK, now here is something interesting. On 2022-09-08 is when I released v0.8.10 of this POM to Maven Central. As part of doing that:

  • mvn versions:use-releases -DprocessParent -DgenerateBackupPoms=false was used to switch to the latest released versions.
  • mvn versions:set -DremoveSnapshot -DgenerateBackupPoms=false was used to drop the -SNAPSHOT version from the project.
  • mvn versions:display-dependency-updates was used to list any outdated dependencies to make sure they are up-to-date before final release.

Since the checksum of maven-metadata-central.xml matches that in maven-metadata-central.xml.sha1, which was updated on 2022-09-08, it seems likely that the incorrect <lastUpdated>20210818055556</lastUpdated> was set on 2022-09-08. Have you heard of versions:use-releases, versions:set, or versions:display-dependency-updates ever setting a <lastUpdated> in the future? Does it update the metadata in the local repository itself, or does it rely on Maven to do this? (Eclipse m2e is also a potential culprit.)

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 21, 2023

Hi, could you please share the whole obfuscated debug log somewhere?

The feature has been quite thoroughly tested but there are always loose ends. So maybe we're onto something.

I'm suspecting that there's something fishy about the regular expressions. Not that yours are wrong but the shell you're using might not passing them correctly to Maven.

Re your questions - the plugin does not do things like dependency resolution etc., or retrieving dependencies from a remote repository or from the local repository ("Maven cache") on itself. It relies on Maven or its components to do that.

Dependency resolution is done using https://maven.apache.org/resolver/, retrieving or writing to cache is core Maven.

Since the checksum of maven-metadata-central.xml matches that in maven-metadata-central.xml.sha1, which was updated on 2022-09-08, it seems likely that the incorrect 20210818055556 was set on 2022-09-08. Have you heard of versions:use-releases, versions:set, or versions:display-dependency-updates ever setting a in the future? Does it update the metadata in the local repository itself, or does it rely on Maven to do this? (Eclipse m2e is also a potential culprit.)

Try using -U

https://stackoverflow.com/questions/26224842/how-exactly-mvn-u-works

And once again, perhaps it would be faster to just read the code and get to know how the plugin works under the hood. There you could create an integration test testing the very case you're experiencing and you could debug it. Also, faster, because of time difference at the least.

@garretwilson
Copy link
Author

I'm suspecting that there's something fishy about the regular expressions. Not that yours are wrong but the shell you're using might not passing them correctly to Maven.

They aren't my regular expressions exactly; I modified them from an answer on Stack Overflow. I intended to simplify them a bit once this was working.

But in any case, do you think the regular expressions are even relevant anymore? It's not seeing that com.akathist.maven.plugins.launch4j:launch4j-maven-plugin needs updating even if I take the whole regular expressions ignore configuration out of the POM! It seems reasonable to me that the problem here is not the Versions Maven Plugin regular expression testing, but rather the bad lastUpdated data inside maven-metadata-central.xml in my local repository, telling Maven not to query Maven Central for new versions. Thus Versions Maven Plugin doesn't even know there are new versions available.

Try using -U

Right, that seems to be like the workaround I'll need to use in order to get this to work.

But it worries me that these timestamps were wrong to begin with, and I would really like to figure out what caused them before I simply force all them to be updated.

@andrzejj0
Copy link
Contributor

Regarding Maven warnings in 3.9.2 -- yeah that's a kinda passive-aggressive way of Maven devs' of getting users to chase plugin maintainers to fix their dependencies. The one in versions-maven-plugin has already been done and will be fixed 2.16.0. Plenty of other plugins will still suffer from this and it will cause people relying on warnings from their CI/CD some hassle.

@garretwilson
Copy link
Author

Dependency resolution is done using https://maven.apache.org/resolver/, retrieving or writing to cache is core Maven.

Good to know, thanks. So Maven Resolver is what should be updating those lastUpdated timestamps in maven-metadata-central.xml you think?

I note that Maven recently updated Resolver in MNG-7753 and MNG-7769. These supposedly fixed MRESOLVER-352 and MRESOLVER-357. I don't see anything in the tickets regarding corrupted lastUpdated timestamps, but I wonder if it's possible that there was a Maven Resolver bug that did this at some point?

I just had to go on and just cross my fingers it won't happen again without knowing what caused it, because at any time there could be new versions and I wouldn't know it if whatever did this did it again.

@andrzejj0
Copy link
Contributor

But in any case, do you think the regular expressions are even relevant anymore?

But you said the issue is not occurring if you skip those ignored versions along with their regexes entirely. Or did I get that wrong?

@garretwilson
Copy link
Author

garretwilson commented May 21, 2023

But you said the issue is not occurring if you skip those ignored versions along with their regexes entirely. Or did I get that wrong?

I'm not sure what you mean when you say "skip those ignored versions".

If I check for updates on the latest pom.xml, it shows what I put in the description. That's without even adding the ignores (or any extra configuration). You'll note that it's missing com.akathist.maven.plugins.launch4j:launch4j-maven-plugin altogether, and that the latest version for org.springframework.boot:spring-boot-maven-plugin is out of date. I didn't even realize that this was incorrect until I looked more closely at the output you gave.

Adding the regular expression configuration only removes the -M* versions from the output. Thus it would seem that the ignore-versions part is working correctly based upon the versions Maven Resolver is passing back; the problem is that Maven Resolver isn't even checking for new versions, because a lot of things in my local repository have lastUpdated timestamps (way) in the future.

Did I explain it better that time? Does it make sense?

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 21, 2023

Good to know, thanks. So Maven Resolver is what should be updating those lastUpdated timestamps in maven-metadata-central.xml you think?

I note that Maven recently updated Resolver in MNG-7753 and MNG-7769. These supposedly fixed MRESOLVER-352 and MRESOLVER-357. I don't see anything in the tickets regarding corrupted lastUpdated timestamps, but I wonder if it's possible that there was a Maven Resolver bug that did this at some point?

Oh one more thing. The plugin will use the version of Maven (and its libraries) that you're using to run it with. So, to bump them, you need to use a never version of Maven.

Also, if you clone this repository, you will be able to add your test case as an integration test. E.g. somewhere in there

you can then run it using maven invoker, e.g.

mvn -P run-its -Dmaven.invoker=<your-test-name>

or rely on the Github Actions flows to do it for you -- there you can add multiple platforms (Windows, MacOS, Linux) to test it on.

@garretwilson
Copy link
Author

Oh one more thing. The plugin will use the version of Maven (and its libraries) that you're using to run it with. So, to bump them, you need to use a never version of Maven.

Right. I'm using Maven 3.9.1 right now.

At this point I'm just trying to find out what caused the bad timestamps—that's why I was looking at the Maven changelog to see if any Maven Resolver bugs had been fixed that said anything about bad timestamps.

@andrzejj0
Copy link
Contributor

Maybe there indeed might be something wrong with Maven itself. Another thing you could do is remove the directory from the local Maven repo and see if that helps. It usually does for me.

@garretwilson
Copy link
Author

Another thing you could do is remove the directory from the local Maven repo and see if that helps. It usually does for me.

Well, yes, I have no doubt that simply blowing away ~/.m2/repository will "solve" the problem because Maven won't see any last-updated timestamp and assume it needs to talk to Maven Central to get the latest versions. As you mentioned -U will be a more elegant way to do this.

But my my desire right now is that I'd like to know that caused this in the first place, rather that just "force-fixing" it and thinking, "oh, it was a fluke, it will never happen again".

@andrzejj0
Copy link
Contributor

Does it get resolved properly if you use mvn dependency:get -Dartifact=... ?

https://maven.apache.org/plugins/maven-dependency-plugin/get-mojo.html

@garretwilson
Copy link
Author

Does it get resolved properly if you use mvn dependency:get -Dartifact=... ?

You mean and specify an actual version? (I glanced at the docs and it looks like that's required.)

I'll have to try it tomorrow. It's best not to work when my mind is tired after a long, busy day. Thanks for the input. I'll investigate more after some rest.

@garretwilson
Copy link
Author

Good morning. I opened Maven lastUpdated timestamps in maven-metadata.xml have been set to the future to try to find out how/why this happened.

@garretwilson
Copy link
Author

garretwilson commented May 22, 2023

@ajarmoniuk they pointed out on Stack Overflow that those <lastUpdated>20210818055556</lastUpdated> timestamps I was seeing are not Unix epoch numbers but YYYYMMDD… values. Thus the values are note set in the future. So I'm back to square one and still don't know why your machine is seeing certain new plugins available from Maven Central but mine is not, even with the exact same POM.

@andrzejj0
Copy link
Contributor

andrzejj0 commented May 22, 2023

Frankly, I'm not so sure why this might occur. However, this is not this plugin but rather Maven (and, possibly, Resolver). Might be caused by a corrupted local repository. How can it get corrupted is not clear to me, "a network glitch" in the Baeldung article hints to some problems with cleanup while releasing resources faced with network errors.

https://www.baeldung.com/maven-force-update contains some hints on how to deal with this

Does this only happen with plugins or also with dependencies (with dependencies that would mean that a dependency with the given version, which does exist in the central repo, can't be downloaded)?

Another idea is to look for/create a new issue on https://issues.apache.org/jira

@garretwilson
Copy link
Author

I've opened a new question on Stack Overflow to try to get to the bottom of this: Maven Artifact Resolver not seeing latest plugins on Maven Central on my machine.

@andrzejj0
Copy link
Contributor

Garret, I didn't mean you had to delete the whole ~/.m2/repository, but just the subfolder containing the dependency that caused problems within it. This way maven will redownload the dependency with the correct version this time.

As to why this happens, it's best to ask on either https://issues.apache.org/jira or on Maven users' mailing lists -- users@maven.apache.org. That last one might feel like the old USENET times, but I think it should be the best resource.

@garretwilson
Copy link
Author

garretwilson commented May 24, 2023

Good morning, @ajarmoniuk .

Garret, I didn't mean you had to delete the whole ~/.m2/repository, but just the subfolder containing the dependency that caused problems within it.

Right, but how do I know at any time which subfolder contains a dependency that is "caus[ing] problems within it"? I only knew in this case because you were nice enough to respond to the ticket and post your test results for this project. But I have many other projects with many other dependencies. How am I to know that these few are the only ones with problems? If Maven is "stuck" at some point in the past on my machine, I likely have dozens of dependencies for which Versions Maven Plugin would should out-of-date information for, but I have no way of knowing which ones they are (because of the nature of this problem). You see what I mean?

As to why this happens, it's best to ask on either https://issues.apache.org/jira or on Maven users' mailing lists -- users@maven.apache.org.

I'll do that as well—thanks for the tip.

@garretwilson
Copy link
Author

So: if XML is present, resolver would go to properties file to check "when was file fetched from remote". So only properties file should be renamed, xml should be left intact.

I'm saying I did exactly that above. Nevertheless Maven did not go contact Maven Central, and it did not regenerate the properties file.

@cstamas
Copy link

cstamas commented May 25, 2023

Now you made me to get out of bed... 😄

@garretwilson
Copy link
Author

Now you made me to get out of bed... 😄

Sorry!!! 😬 I was going to wait until tomorrow, but when you clarified that lastUpdated was a property, not a file extension, I though, what the heck, I spent the whole morning on this, I might as well keep going all afternoon. 😅

If you want to wait until tomorrow I completely understand. But if you keep replying I'll keep plodding forward in the testing. 😂

@garretwilson
Copy link
Author

My best "hunch" guess at the moment based upon this behavior (and without knowing anything about the code other than what you've told me) is that either A) something in the code is accidentally bypassing the resolver-status.properties check, or B) somehow a path got mis-calculated and it's checking the resolver-status.properties of some other artifact (or something else altogether).

@cstamas
Copy link

cstamas commented May 25, 2023

Am trying to reproduce, but on laptop (not on desktop in office, where I had your setup), give me a five minutes or so...

@cstamas
Copy link

cstamas commented May 25, 2023

Damn me, I think I got it

@garretwilson
Copy link
Author

Damn me, I think I got it

The suspense here is unbearable … haha

@garretwilson
Copy link
Author

NO update for launch4j-maven-plugin reported.

Just to confirm: you reproduced this?

@cstamas
Copy link

cstamas commented May 25, 2023

yes, with local empty repo (first run) 2.4.1 reported as latest (as expected), with altered local repo (2nd run) no update reported.

At first sight, this may be related to XML file timestamp....

After reproducing, I have this:

[cstamas@blondie versions-959]$ ll local/com/akathist/maven/plugins/launch4j/launch4j-maven-plugin/
total 8
drwxr-xr-x. 1 cstamas cstamas  174 máj   25 22.50 2.1.2
drwxr-xr-x. 1 cstamas cstamas  174 máj   25 22.48 2.1.3
drwxr-xr-x. 1 cstamas cstamas  174 máj   25 22.48 2.4.1
-rw-r--r--. 1 cstamas cstamas 1367 máj   25 22.50 maven-metadata-central.xml
-rw-r--r--. 1 cstamas cstamas   40 máj   25 22.48 maven-metadata-central.xml.sha1
[cstamas@blondie versions-959]$ 

Despite 2.4.1 version present, it goes unnoticed, as XML file (content copied from #959 (comment)) does not contains it.

@cstamas
Copy link

cstamas commented May 25, 2023

Seems nope: changed TS to "2 days ago", no change.
https://gist.github.com/cstamas/5aec55f97bed367e909dd685a073ea20

@cstamas
Copy link

cstamas commented May 25, 2023

So wow: this bug is a nasty one: it seems in this case, Maven metadata is handled "like any other artifact in release repository" -- with update policy "never"! This "never update" is true for release artifacts, but NOT for release metadata, that may contain changes (like new versions)... debugged so far, but now am now done.

We have a reproducer, and we have where to go from here.

In short, problem lies here: https://github.com/apache/maven-resolver/blob/maven-resolver-1.9.10/maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/DefaultUpdateCheckManager.java#L274

The check.policy() is "never", as central repo is release repository (artifacts are immutable), so the if receives false and goes to next block: https://github.com/apache/maven-resolver/blob/maven-resolver-1.9.10/maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/DefaultUpdateCheckManager.java#L277

@cstamas
Copy link

cstamas commented May 25, 2023

Created https://issues.apache.org/jira/browse/MRESOLVER-363
This is a resolver bug, nothing to do with versions plugin. So if you agree, please close this issue.

@garretwilson
Copy link
Author

So in Maven 3.9.1 this is happening to everyone who already has metadata? Some particular update to Maven Resolver basically left current metadata "locked" at its present state? Am I understanding that correctly?

Is the reason that you could not reproduce this earlier the fact that you had no metadata at all, and it was updating everything from scratch? But the moment anyone has metadata, it gets "locked" going forward, is that right?

@cstamas
Copy link

cstamas commented May 25, 2023

yes, with empty repo all is nicely downloaded.

also, many user (and even myself) in "daily routine" use this plugin with -U, so never notice:
https://gist.github.com/cstamas/c22061e0c1f67961e8530fa056e609c4

@garretwilson
Copy link
Author

garretwilson commented May 25, 2023

So -U is a workaround that will force an update in this case for all my artifacts? I was reading on several Stack Overflow answers that -U only applies to -SNAPSHOT releases.

@cstamas
Copy link

cstamas commented May 25, 2023

Yes, -U is a workaround, and after this, my guess is it simply "stick" to users as w/o -U it MAY not report new things (just like in this issue case).

mvn -h says

 -U,--update-snapshots                  Forces a check for missing
                                        releases and updated snapshots on
                                        remote repositories

So is kinda badly worded. Without it this IF 1st block is executed, with it 2nd block:
https://github.com/apache/maven/blob/maven-3.9.1/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L165

And my guess is that this "never" we see in case of metadata. Need to look more, as to me this "smells" like artifact policy (that is for release rightfully "never") is by mistake applied to metadata.

But now am really off.

@garretwilson
Copy link
Author

Thank you for all your work on this, @cstamas ! It's so good to know we're getting somewhere. I had put some work on hold to help get this resolved, as I didn't want to force everything to update until we knew the source of the problem.

@ajarmoniuk , thanks for your input and steering me in the right direction, and letting us hijack this ticket for a bit.

Created https://issues.apache.org/jira/browse/MRESOLVER-363
This is a resolver bug, nothing to do with versions plugin. So if you agree, please close this issue.

I'll go continue my testing of the new Versions Maven Plugin regex ignore version feature, and if that is working, I'll note that and close this ticket. Further discussion on this bug can happen at MRESOLVER-363.

Thanks again, and I hope you have a good, restful night @cstamas .

@andrzejj0
Copy link
Contributor

Awesome work! Congrats on getting to the bottom of it!

@cstamas
Copy link

cstamas commented May 26, 2023

So in Maven 3.9.1 this is happening to everyone who already has metadata? Some particular update to Maven Resolver basically left current metadata "locked" at its present state? Am I understanding that correctly?

Is the reason that you could not reproduce this earlier the fact that you had no metadata at all, and it was updating everything from scratch? But the moment anyone has metadata, it gets "locked" going forward, is that right?

No, as on issue: reaolver did not found value for lastUpdated. This as we saw, may happen due several factors:

  • Not present resolver-status.propertiee
  • or is present, but created with maven-compat (uses different key)

So is not locked for "all, who already have the metadata". If lastUpdated found, it will work. The conditions above must be met.

Again, local repo state may be altered by many apps, not only maven resolver, so it is def not "insanely hard" to get into situation like this, but still, it is not "locked down to all who downloaded it once" either.

@garretwilson
Copy link
Author

Just to confirm: the latest understanding is that pull request #957 will fix this problem, because it will override the default policy of local repository metadata to say that the metadata should be refreshed at least daily (including if no last-update information is found by Maven Artifact Resolver)?

(The follow-up question of course is whether there is an idea of when that change might be included in a new release?)

@slawekjaranowski
Copy link
Member

Just to confirm: the latest understanding is that pull request #957 will fix this problem, because it will override the default policy of local repository metadata to say that the metadata should be refreshed at least daily (including if no last-update information is found by Maven Artifact Resolver)?

(The follow-up question of course is whether there is an idea of when that change might be included in a new release?)

I have plan a next release in this week 😄

@slawekjaranowski slawekjaranowski added this to the 2.16.0 milestone May 30, 2023
@garretwilson
Copy link
Author

I have plan a next release in this week 😄

Wonderful! But can you confirm that we expect #957 to fix this bug? I just wanted to make sure I understood the current status.

@slawekjaranowski
Copy link
Member

Please look - #965 (comment)
And my way to testing - #965 (comment)

So I assume the #957 - will fix problem with missing or wrong property in resolver-status.properties

@garretwilson
Copy link
Author

I saw that v2.16.0 was released yesterday, so here goes the test … 🥁

First here is mvn versions:display-plugin-updates with v2.15.0:

[INFO] --- versions:2.15.0:display-plugin-updates (default-cli) @ … ---
[INFO]
[INFO] The following plugin updates are available:
[INFO]   maven-failsafe-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO]   maven-release-plugin ............................ 2.5.3 -> 3.0.0-M6
[INFO]   maven-site-plugin .............................. 3.12.1 -> 4.0.0-M3
[INFO]   maven-surefire-plugin .......................... 2.22.2 -> 3.0.0-M7
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.0.5

Now here is mvn versions:display-plugin-updates with v2.16.0. (I'm really trying it as I write this. Oh the suspense … 😅 )

[INFO] --- versions:2.16.0:display-plugin-updates (default-cli) @ … ---
…
[INFO]
[INFO] The following plugin updates are available:
[INFO]   com.akathist.maven.plugins.launch4j:launch4j-maven-plugin  2.1.3 -> 2.4.1
[INFO]   maven-assembly-plugin .............................. 3.4.2 -> 3.6.0
[INFO]   maven-compiler-plugin ............................ 3.10.1 -> 3.11.0
[INFO]   maven-dependency-plugin ............................ 3.3.0 -> 3.6.0
[INFO]   maven-deploy-plugin ................................ 3.0.0 -> 3.1.1
[INFO]   maven-enforcer-plugin .............................. 3.1.0 -> 3.3.0
[INFO]   maven-failsafe-plugin ............................. 2.22.2 -> 3.1.2
[INFO]   maven-gpg-plugin ................................... 3.0.1 -> 3.1.0
[INFO]   maven-install-plugin ............................... 3.0.1 -> 3.1.1
[INFO]   maven-jar-plugin ................................... 3.2.2 -> 3.3.0
[INFO]   maven-javadoc-plugin ............................... 3.4.1 -> 3.5.0
[INFO]   maven-release-plugin ............................... 2.5.3 -> 3.0.1
[INFO]   maven-resources-plugin ............................. 3.3.0 -> 3.3.1
[INFO]   maven-site-plugin .............................. 3.12.1 -> 4.0.0-M8
[INFO]   maven-source-plugin ................................ 3.2.1 -> 3.3.0
[INFO]   maven-surefire-plugin ............................. 2.22.2 -> 3.1.2
[INFO]   org.codehaus.mojo:build-helper-maven-plugin ........ 3.3.0 -> 3.4.0
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.1.0

Oh, wow! Apparently I was behind in a lot of plugins and never new it!! But it looks like #957 fixed the problem with the stale update from Maven Central. In particular we see com.akathist.maven.plugins.launch4j:launch4j-maven-plugin 2.1.3 -> 2.4.1, which is the plugin we were using as an example in this ticket. And very interesting: if we look in ~/.m2/repository/com/akathist/maven/plugins/launch4j/launch4j-maven-plugin/resolver-status.properties, here is what it looked like before:

#Last modified on: Thu Sep 08 15:34:35 PDT 2022
#Thu Sep 08 15:34:35 PDT 2022
central.maven-metadata-central.xml.lastUpdated=1662676475074

Here is what ~/.m2/repository/com/akathist/maven/plugins/launch4j/launch4j-maven-plugin/resolver-status.properties looks like now:

#NOTE: This is a Maven Resolver internal implementation file, its format can be changed without prior notice.
#Wed Jun 07 13:39:37 PDT 2023
central.maven-metadata-central.xml.lastUpdated=1662676475074
maven-metadata-central.xml.lastUpdated=1686170377857

Basically there is a new maven-metadata-central.xml.lastUpdated, and the "compatibility layer" property central.maven-metadata-central.xml.lastUpdated (which was what it was ignoring before) has been left untouched. I'm sure that's fine.

During this run of mvn versions:display-plugin-updates, because of #957 it went and downloaded lots of metadata XML from Maven Central, but (whew!) not an inordinate number. Basically it seems to have just pulled down metadata for these plugins that were out of date. I'm assuming those were the plugins missing the maven-metadata-central.xml.lastUpdated as well.

OK, things seem to be working great so far. Now for the grand finale: adding ignores so that I don't see things like the milestone releases. You'll remember this was the original point of all this back in #258 and #684.

<configuration>
  <ruleSet>
    <ignoreVersions>
      <ignoreVersion><type>regex</type><version>.*-SNAPSHOT</version></ignoreVersion>
      <ignoreVersion><type>regex</type><version>.*-alpha(?:-?\d+)?</version></ignoreVersion>
      <ignoreVersion><type>regex</type><version>.*-beta(?:-?\d+)?</version></ignoreVersion>
      <ignoreVersion><type>regex</type><version>.*-M(?:-?\d+)?</version></ignoreVersion>
      <ignoreVersion><type>regex</type><version>.*-RC(?:-?\d+)?</version></ignoreVersion>
      <ignoreVersion><type>regex</type><version>.*-pfd(?:-?\d+)?</version></ignoreVersion>
    </ignoreVersions>
  </ruleSet>
</configuration>

And running mvn versions:display-plugin-updates with those ignores:

[INFO] --- versions:2.16.0:display-plugin-updates (default-cli) @ … ---
[INFO]
[INFO] The following plugin updates are available:
[INFO]   com.akathist.maven.plugins.launch4j:launch4j-maven-plugin  2.1.3 -> 2.4.1
[INFO]   maven-assembly-plugin .............................. 3.4.2 -> 3.6.0
[INFO]   maven-compiler-plugin ............................ 3.10.1 -> 3.11.0
[INFO]   maven-dependency-plugin ............................ 3.3.0 -> 3.6.0
[INFO]   maven-deploy-plugin ................................ 3.0.0 -> 3.1.1
[INFO]   maven-enforcer-plugin .............................. 3.1.0 -> 3.3.0
[INFO]   maven-failsafe-plugin ............................. 2.22.2 -> 3.1.2
[INFO]   maven-gpg-plugin ................................... 3.0.1 -> 3.1.0
[INFO]   maven-install-plugin ............................... 3.0.1 -> 3.1.1
[INFO]   maven-jar-plugin ................................... 3.2.2 -> 3.3.0
[INFO]   maven-javadoc-plugin ............................... 3.4.1 -> 3.5.0
[INFO]   maven-release-plugin ............................... 2.5.3 -> 3.0.1
[INFO]   maven-resources-plugin ............................. 3.3.0 -> 3.3.1
[INFO]   maven-source-plugin ................................ 3.2.1 -> 3.3.0
[INFO]   maven-surefire-plugin ............................. 2.22.2 -> 3.1.2
[INFO]   org.codehaus.mojo:build-helper-maven-plugin ........ 3.3.0 -> 3.4.0
[INFO]   org.springframework.boot:spring-boot-maven-plugin .. 2.7.3 -> 3.1.0

You'll notice that maven-site-plugin is no longer listed. Unfortunately I can't confirm 100% whether it's working correctly, because if you ignore 4.0.0-M8 then I already have the latest version 3.12.1 specified, so we don't know if it would show a greater version than this, e.g. 3.12.2. But from @ajarmoniuk 's test earlier in this ticket, it did appear to do what it was supposed to do.

OK this is really, great news, especially since this has been a journey of over five years (starting with #258). Thank you everyone involved! I'm finally going to be able to close my own ticket, JAVA-241: Configure Versions Maven Plugin to ignore non-release versions.. 🎉

garretwilson added a commit to globalmentor/globalmentor-root that referenced this issue Jun 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants