feat(datasource/maven): set latest tag ignored by default (#37541)

Author: rarkins

docs/usage/configuration-options.md

@@ -4250,6 +4250,12 @@ For `npm` manager when `replacementApproach=alias` then instead of replacing `"f
 Similar to `ignoreUnstable`, this option controls whether to update to versions that are greater than the version tagged as `latest` in the repository.
 By default, `renovate` will update to a version greater than `latest` only if the current version is itself past latest.
 
+<!-- prettier-ignore -->
+!!! note
+    By default, respectLatest will be set to `false` for Maven results if a `latest` tag is found.
+    This is because many Maven registries don't have a reliable `latest` tag - it just means whatever was last published.
+    You need to override this to `respectLatest=true` in `packageRules` in order to use it.
+
 ## reviewers
 
 Must be valid usernames.

lib/modules/datasource/clojure/__snapshots__/index.spec.ts.snap

@@ -34,6 +34,11 @@ exports[`modules/datasource/clojure/index > falls back to next registry url 1`]
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -101,6 +106,11 @@ exports[`modules/datasource/clojure/index > returns releases from custom reposit
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -138,6 +148,11 @@ exports[`modules/datasource/clojure/index > skips registry with invalid XML 1`]
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -175,5 +190,10 @@ exports[`modules/datasource/clojure/index > skips registry with invalid metadata
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;

lib/modules/datasource/maven/__snapshots__/index.spec.ts.snap

@@ -34,6 +34,11 @@ exports[`modules/datasource/maven/index > falls back to next registry url 1`] =
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -101,6 +106,11 @@ exports[`modules/datasource/maven/index > removes authentication header after re
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -138,6 +148,11 @@ exports[`modules/datasource/maven/index > returns releases 1`] = `
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -176,6 +191,11 @@ exports[`modules/datasource/maven/index > returns releases from custom repositor
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -213,6 +233,11 @@ exports[`modules/datasource/maven/index > skips registry with invalid XML 1`] =
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;
 
@@ -250,5 +275,10 @@ exports[`modules/datasource/maven/index > skips registry with invalid metadata s
       "version": "2.0.0",
     },
   ],
+  "respectLatest": false,
+  "tags": {
+    "latest": "2.0.0",
+    "release": "2.0.0",
+  },
 }
 `;

lib/modules/datasource/maven/index.spec.ts

@@ -162,6 +162,11 @@ describe('modules/datasource/maven/index', () => {
       packageScope: 'org.example',
       registryUrl: 'https://repo.maven.apache.org/maven2',
       releases: [{ version: '1.0.3-SNAPSHOT' }],
+      respectLatest: false,
+      tags: {
+        latest: '1.0.3-SNAPSHOT',
+        release: '1.0.3-SNAPSHOT',
+      },
     });
   });
 
@@ -193,6 +198,11 @@ describe('modules/datasource/maven/index', () => {
       packageScope: 'org.example',
       registryUrl: 'https://repo.maven.apache.org/maven2',
       releases: [{ version: '1.0.3-SNAPSHOT' }],
+      respectLatest: false,
+      tags: {
+        latest: '1.0.3-SNAPSHOT',
+        release: '1.0.3-SNAPSHOT',
+      },
     });
   });
 
@@ -471,6 +481,11 @@ describe('modules/datasource/maven/index', () => {
         { version: '1.0.5-SNAPSHOT' },
         { version: '2.0.0' },
       ],
+      respectLatest: false,
+      tags: {
+        latest: '2.0.0',
+        release: '2.0.0',
+      },
       isPrivate: true,
     });
     expect(googleAuth).toHaveBeenCalledTimes(2);
@@ -516,6 +531,11 @@ describe('modules/datasource/maven/index', () => {
         { version: '1.0.5-SNAPSHOT' },
         { version: '2.0.0' },
       ],
+      respectLatest: false,
+      tags: {
+        latest: '2.0.0',
+        release: '2.0.0',
+      },
       isPrivate: true,
     });
     expect(googleAuth).toHaveBeenCalledTimes(2);

lib/modules/datasource/maven/index.ts

@@ -49,6 +49,16 @@ function extractVersions(metadata: XmlDocument): MetadataResults {
     return res;
   }
   res.versions = elements.map((el) => el.val);
+  const latest = metadata.descendantWithPath('versioning.latest');
+  if (latest?.val) {
+    res.tags ??= {};
+    res.tags.latest = latest.val;
+  }
+  const release = metadata.descendantWithPath('versioning.release');
+  if (release?.val) {
+    res.tags ??= {};
+    res.tags.release = release.val;
+  }
 
   return res;
 }
@@ -134,6 +144,10 @@ export class MavenDatasource extends Datasource {
     };
     if (metadata.tags) {
       result.tags = metadata.tags;
+      if (result.tags.latest) {
+        logger.debug(`Setting respectLatest=false for maven ${packageName}`);
+        result.respectLatest = false;
+      }
     }
 
     if (!this.defaultRegistryUrls.includes(registryUrl)) {

lib/modules/datasource/maven/readme.md

@@ -30,9 +30,8 @@ For example:
 
 #### latest and release tags
 
-Although a package's `maven-metadata.xml` may contain `latest` and `release` tags, we do not map them to `tags.latest` or `tags.release` in Renovate internal data.
-The reason for not doing this is that Maven registries don't use these tags as an indicator of stability - `latest` essentially means "the most recent version which was published".
+When `latest` or `release` values are present in a package's `maven-metadata.xml`, Renovate will map these to its `tags` concept.
+This enables the use of Renovate's `followTag` feature.
 
-For more information on this, see the analysis done in [Discussion #36927](https://github.com/renovatebot/renovate/discussions/36927).
-
-As a result, neither `followTag` nor `respectLatest` concepts apply to Maven dependencies.
+However, Renovate will set `respectLatest=false` whenever the `latest` tag is found, because many Maven registries have been found to populate the tag unreliably.
+You should use `packageRules` to set `respectLatest=true` if you wish to use this feature.

lib/modules/datasource/maven/s3.spec.ts

@@ -65,6 +65,11 @@ describe('modules/datasource/maven/s3', () => {
           { version: '1.0.2' },
           { version: '1.0.3' },
         ],
+        respectLatest: false,
+        tags: {
+          latest: '1.0.2',
+          release: '1.0.2',
+        },
         isPrivate: true,
       });
     });

lib/modules/datasource/types.ts

@@ -97,6 +97,7 @@ export interface ReleaseResult {
   packageScope?: string;
   mostRecentTimestamp?: Timestamp;
   isAbandoned?: boolean;
+  respectLatest?: boolean;
 }
 
 export interface PostprocessReleaseConfig {

lib/workers/repository/process/lookup/index.ts

@@ -205,6 +205,7 @@ export async function lookupUpdates(
         'packageScope',
         'mostRecentTimestamp',
         'isAbandoned',
+        'respectLatest',
       ]);
 
       const latestVersion = dependency.tags?.latest;