Does dependabot resolve maven variables?

We have a maven project with a parent pom.xml that has dependencyManagement for all our dependencies.
In some cases, we use maven variables so that we can keep multiple dependencies from the same source project in lock-step.

In one case, we were inconsistently using this pattern and I noticed some unexpected behavior from dependabot.

Specifically, we have a variable named “jackson.version”:

And that is referenced from our dependencyManagement of jackson-annotations and jackson-module-jaxb-annotations but not jackson-core

Interestingly, dependabot opened a PR to bump jackson-core to 2.13.0 but not for these other dependencies that use a variable for their version.

However, at [java:maven] Dependency versions defined through a property are not respected by if the property starts with 'project.' · Issue #1859 · dependabot/dependabot-core · GitHub I can see others that claim the tool will resolve these variables and update them accordingly.

Any idea why we’re not seeing that in our repo? Maybe it has to do with the fact we use this version var in multiple places and dependabot does not support grouped updates yet?

1 Like