Dependabot not upgrading major versions of Maven SNAPSHOT dependencies

Question

I've got dependabot setup, but even though a new minor version of a SNAPSHOT dependency is available, it's not being found.

Take the following pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.org</groupId>
<artifactId>project</artifactId>
<version>2.4-SNAPSHOT</version>
<dependencies>
    <dependency>
        <groupId>com.org</groupId>
        <artifactId>dependency</artifactId>
        <version>1.1-SNAPSHOT</version>
    </dependency>
</dependencies>

With the following dependabot.yml:

version: 2
registries:
  github-maven:
    type: maven-repository
    url: https://maven.pkg.github.com/my-org/*/
    username: admin
    password: rosebud
updates:
  - package-ecosystem: maven
    registries: "*"
    directory: /
    schedule:
      interval: daily

There's now a 1.2-SNAPSHOT available in my private repository - I can see it's been uploaded to https://maven.pkg.github.com/my-org/maven-repository/com/org/dependency/1.2-SNAPSHOT/dependency-1.2-20220714.094840-17.jar

Looking in the Dependabot logs, it's clear it's found all the versions of dependency from the maven-metadata.xml, but it's failed to actually get any of those versions.

updater | INFO <job_418367509> Checking if com.org:dependency 1.1-SNAPSHOT needs updating
  proxy | 2022/07/14 09:41:03 [176] GET https://repo.maven.apache.org:443/maven2/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [176] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [178] GET https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [178] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:03 [178] 200 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/maven-metadata.xml
  proxy | 2022/07/14 09:41:03 [180] HEAD https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [180] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [182] HEAD https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:03 [182] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:04 [182] 404 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.2-SNAPSHOT/dependency-1.2-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [188] HEAD https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [188] 404 https://repo.maven.apache.org:443/maven2/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [190] HEAD https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
  proxy | 2022/07/14 09:41:04 [190] * authenticating maven repository request (host: maven.pkg.github.com)
  proxy | 2022/07/14 09:41:04 [190] 404 https://maven.pkg.github.com:443/my-org/*/com/ci/dependency/1.1-SNAPSHOT/dependency-1.1-SNAPSHOT.jar
updater | INFO <job_418367509> Latest version is 
updater | INFO <job_418367509> Requirements to unlock update_not_possible
updater | INFO <job_418367509> Requirements update strategy 
updater | INFO <job_418367509> No update possible for com.org:dependency 1.1-SNAPSHOT

I think the problem is that the SNAPSHOT versions all have the date in the filename, and although this is listed in the maven-metadata.xml, Dependabot doesn't support that. I'm not able to verify this as this is no longer a Maven behaviour you can change.

Non-SNAPSHOT dependencies in my private repository work fine with Dependabot, and my dependencies are resolved without issue in Maven for builds etc.

Answer 1

This is a bug in Dependabot.

From GitHub support:

Our engineers found an issue with our support for SNAPSHOT packages in general. They have opened an issue for it, but there is not estimate for when a fix will be released.