We have a maven project with a parent pom.xml that has dependencyManagement for all our dependencies.
In some cases, we use maven variables so that we can keep multiple dependencies from the same source project in lock-step.
In one case, we were inconsistently using this pattern and I noticed some unexpected behavior from dependabot.
Specifically, we have a variable named “jackson.version”:
And that is referenced from our dependencyManagement of
jackson-module-jaxb-annotations but not
Interestingly, dependabot opened a PR to bump
jackson-core to 2.13.0 but not for these other dependencies that use a variable for their version.
However, at [java:maven] Dependency versions defined through a property are not respected by if the property starts with 'project.' · Issue #1859 · dependabot/dependabot-core · GitHub I can see others that claim the tool will resolve these variables and update them accordingly.
Any idea why we’re not seeing that in our repo? Maybe it has to do with the fact we use this version var in multiple places and dependabot does not support grouped updates yet?