Skip to content

Fix Maven released? check for non-jar packaging types (e.g., aar)#14886

Draft
kbukum1 wants to merge 1 commit intomainfrom
kbukum1/fix-maven-released-check-non-jar-packaging
Draft

Fix Maven released? check for non-jar packaging types (e.g., aar)#14886
kbukum1 wants to merge 1 commit intomainfrom
kbukum1/fix-maven-released-check-non-jar-packaging

Conversation

@kbukum1
Copy link
Copy Markdown
Contributor

@kbukum1 kbukum1 commented May 1, 2026
edited
Loading

What are you trying to accomplish?

When a Maven artifact uses non-jar packaging (e.g., aar), but the consumer POM omits <type>, the parser defaults to "jar". This causes released?() to HEAD-check .jar URLs that always return 404, wasting ~2 minutes per run.

For example, io.grpc:grpc-cronet is packaged as aar — the .jar never exists, but the .pom always does.

Now released? falls back to a .pom HEAD check when the artifact returns 404 (only when no classifier is present).

Fixes #14843

Anything you want to highlight for special attention from reviewers?

The fallback is intentionally narrow:

  • Only triggers on 404 (not 401/403/500)
  • Skipped when a classifier is present
  • Uses .pom since every published Maven artifact has one

How will you know you have accomplished your goal?

All related Maven tests pass (133 examples, 0 failures), including 4 new test cases covering the fallback behavior.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

Copilot AI review requested due to automatic review settings May 1, 2026 04:47
@kbukum1 kbukum1 requested a review from a team as a code owner May 1, 2026 04:47
@github-actions github-actions Bot added the L: java:maven Maven packages via Maven label May 1, 2026
@kbukum1 kbukum1 marked this pull request as draft May 1, 2026 04:47
Copilot AI reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves Dependabot’s Maven released? determination by handling artifacts whose published packaging type isn’t jar (e.g., aar) when the consuming POM omits <type> and the code otherwise defaults to checking a .jar URL that will 404.

Changes:

  • Added a .pom URL helper and introduced a narrow .pom fallback in released? when the artifact URL returns HTTP 404 and no classifier is present.
  • Added/updated RSpec stubs and examples to cover the new fallback behavior and keep existing “unreleased” simulations accurate.
  • Updated version finder specs to stub .pom HEAD requests in scenarios that now trigger the fallback.
Show a summary per file
File Description
maven/lib/dependabot/maven/shared/shared_package_details_fetcher.rb Implements .pom URL generation and 404-only fallback logic in released? (skipping classifier cases).
maven/spec/dependabot/maven/shared/shared_package_details_fetcher_spec.rb Adds focused test coverage for the .pom fallback and ensures existing 404 cases stub both artifact and pom.
maven/spec/dependabot/maven/package/package_details_fetcher_spec.rb Updates unreleased-version stubs to account for the new .pom fallback path.
maven/spec/dependabot/maven/update_checker/version_finder_spec.rb Updates stubs in 404 scenarios so version selection logic remains deterministic with the new fallback.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 0

@kbukum1
Fix Maven released? check for non-jar packaging types (e.g., aar)
eeae216 
When a Maven artifact uses non-jar packaging (e.g., aar for Android libraries
like grpc-cronet), but the consumer POM omits <type>, the parser defaults to
"jar". This caused released?() to HEAD-check .jar URLs that return 404 for
every version, wasting ~2 minutes on fruitless requests.

Now, when the artifact HEAD returns 404 and no classifier is present, we fall
back to checking the .pom file (which always exists for published artifacts).
This correctly identifies published versions regardless of packaging type.

Fixes #14843

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@kbukum1 kbukum1 force-pushed the kbukum1/fix-maven-released-check-non-jar-packaging branch from 3c02513 to eeae216 Compare May 5, 2026 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

L: java:maven Maven packages via Maven

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Spending 2 minutes with 404 searching for non-existent jar for aar packaging type (such as grpc-cronet)

2 participants

@kbukum1