Maven Lockfile

[MartinWitt]

Type of discussion.

I'm proposing an idea

Tell us more.

Renovate supports lockfiles for different build tools and languages. For maven there is none. We have created a lockfile for maven https://github.com/chains-project/maven-lockfile. For an example lockfile see https://github.com/chains-project/maven-lockfile/blob/main/maven_plugin/lockfile.json.

Goals as maven plugin

Our maven plugin has 2 goals, mvn io.github.chains-project:maven-lockfile:generate and mvn io.github.chains-project:maven-lockfile:validate.

It looks like renovate can update lockfiles after a dependency update. So only an invocation of the generate goal is needed.

[rarkins]

Consider the scenario where someone declares their dependencies with constraint ranges, e.g. [1,2), and the lockfile contains a 1.x version like 1.1.0. When would you expect Renovate to update the lockfile?

1. Any time the dependency gets a new version, such as 1.2.0?
2. Only when the package file is updated, such as the release of 2.0.0?

[MartinWitt]

Currently, constraints get resolved at the time the lockfile is created. The resolution is done by maven itself and should be the newest matching version. I would expect renovate to update the lockfile anytime there is a new version detected. Is this possible?

[rarkins]

It would be possible to try to trigger an update any time a ranged dependency changes, but until you can enforce Maven to use the lock file then it would also be quite pointless. I would recommend keeping it simple and only updating the lock file when the pom.xml changes dependencies

[MartinWitt]

Is there some code in renovate to only call the maven plugin if a dependency changed, or shall we provide this function?

[rarkins]

That logic already exists

[MartinWitt]

As an update, we also now have a goal to rebuild your artifacts with the exact versions from the lockfile. We call this freeze, and this replaces every version in the pom with the version from the lockfile. Also, every transitive dependency is added to the pom. This way, maven resolves exactly these versions.

[rarkins]

Sounds similar to pip-compile with requirements.in and requirements.txt?

[MartinWitt]

Yes it is the same. Not a novel feature but something nice for a lockfile.

[MartinWitt]

@MartinWitt can we discuss this in a Discussion first? I'm not sure that a separate manager is best

Sure. I thought lockfiles were managed by managers. And my understanding was the integration shouldn't change critical code. This lead me to create a new manager. What's your opinion on integrating it and at which place?

[rarkins]

Normally lock file updating is part of the same manager, as it needs to be done at the same time as the package file updating.

[MartinWitt]

Okay, so I will add the code somewhere in the maven manager. Shall we

1. detect if there is a lockfile already or
2. the plugin is applied or
3. use some config value
   to detect if maven-lockfile-plugin should be executed?

[viceice]

detect existing lockfile

[MartinWitt]

I took a look at the code and to my current understanding the workflow of renovate is:
For maven, something calls updateDependency for the dependency update. After the method, the pom.xml is updated with a new version for some artifact(s). Afterward, updateArtifacts is called if needed. And during this method, I can invoke maven-lockfile?

[rarkins]

Yes, part of updateArtifacts

[LogFlames]

Hi,

Apologies for waking the old thread, but my name is Elias and I have taken over the maintenance of maven-lockfile. I would love continue to work on adding it to renovate, and thought it better to use this one than create a new discussion.

I plan to open a new PR adding it and wanted to check whether you want to have any discussion about missing features or whats left to do, as #23060 was closed without being merged, or if it's clear to go ahead. (Will of course update the code to the latest version of renovate.)

Best,
Elias Lundell