maven: implement replaces-base to avoid calling central #5908
Conversation
jakecoffman
force-pushed
the
jakecoffman/maven-replaces-base
branch
from
68c392f to
0e13752
Compare
jakecoffman
force-pushed
the
jakecoffman/maven-replaces-base
branch
from
0e13752 to
1421afe
Compare
honeyankit
left a comment
honeyankit
left a comment
There was a problem hiding this comment.
This make sense to me.
Should we try and pull that |
|
@jurre The settings.xml lives outside of the repository so we can't pull it in: reference I only mention it here because I think users will expect that we're taking the registries defined in dependabot.yml and placing them in a setting.xml on the system so the Maven executable will use them in the typical order. Thus the "replaces-base" functionality should not actually replace the base (e.g. go to the end of the list), but just remove base and preserve the order in dependabot.yml. If we were to one day use the Maven executable, to achieve this same functionality we'd drop the settings.xml so Maven would pick it up, and hopefully the behavior would not change. |
It's often the case with proxy-style registries that users do not want Dependabot to try to reach Maven Central.
With this PR I've implemented the "replaces-base" functionality first used in the Python ecosystem. This means the registry with that setting will be used everywhere that Maven Central was used previously by Dependabot.
The order by which Dependabot chooses to query will still be the order the registries appear in dependabot.yml. I think this makes more sense that making the "replaces-base" registry go last as it mirrors what the Maven executable would do with a settings.xml present with the dependabot.yml registries defined, overwriting central by ID.