[wildfly-dev] Re: Dependabot problems WAS: Possible component upgrades report - wildfly:main

Thanks, Rado! https://github.com/wildfly/wildfly/actions/runs/21376865486 is running On Mon, Jan 26, 2026 at 4:05 PM Radoslav Husar <rhusar(a)redhat.com&gt; wrote: > Brian, looks like I found the problem – the issue is that after 30 failed > runs all GitHub Actions stop. Can you perform one of the suggested > actions below to get us going for another 30 days and hopefully in the > meantime the above issues will be resolved? > > From their website: Sometimes, due to misconfiguration or incompatible > versions, Dependabot jobs for a repository will fail and Dependabot will > continue to run and continue to fail. Now, after 30 failed runs, Dependabot > will immediately fail subsequent scheduled jobs until you trigger a check > for updates from the dependency graph or by updating a manifest file. > Dependabot security update jobs will still trigger as usual. > > Thanks, > Rado > > > On Mon, Jan 26, 2026 at 10:49 PM Radoslav Husar <rhusar(a)redhat.com&gt; > wrote: > >> Just to share where we stand on fixing this upstream, the issue has been >> raised as https://github.com/dependabot/dependabot-core/issues/13713 >> and there is already a fix available at >> https://github.com/dependabot/dependabot-core/pull/13746 >> >> I asked if there is something we can do to help move this forward. >> >> Also, just to note, when I try to restart the dependabot workflows - >> they aren't re-runnable :-( >> >> > Warning: Dependabot workflows cannot be re-run. Retrigger this update >> via Dependabot instead. >> >> Rado >> >> >> On Mon, Jan 26, 2026 at 8:35 PM Brian Stansberry <bstansbe(a)redhat.com&gt; >> wrote: >> >>> Looking at >>> https://github.com/wildfly/wildfly/actions/workflows/dependabot/dependabo..., >>> it looks like the last time a 'maven in' job ran was Dec 30. Since then >>> it's only 'github_actions in' jobs. >>> >>> On Mon, Jan 26, 2026 at 1:20 PM Brian Stansberry <bstansbe(a)redhat.com&gt; >>> wrote: >>> >>>> I'm forking this into a separate thread as it looks like dependabot's >>>> not submitting PRs at all to wildfly/wildfly in a number of weeks. >>>> >>>> I haven't looked into why. >>>> >>>> Until that is sorted please pay extra attention to these 'Possible >>>> component upgrades report' emails and be proactive about sending up upgrade >>>> PRs in areas you are responsible for. >>>> >>>> On Fri, Dec 5, 2025 at 11:22 AM Brian Stansberry <bstansbe(a)redhat.com&gt; >>>> wrote: >>>> >>>>> Thanks, Rado! Hopefully the dependabot folks will figure it out. >>>>> >>>>> On Fri, Dec 5, 2025 at 3:46 AM Radoslav Husar <rhusar(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> Funny enough, I was investigating this too last week and concluded >>>>>> it's most likely a dependabot bug. It is a relatively common problem that >>>>>> it stumbles with complicated projects and WildFly is inevitably a >>>>>> complicated project from a dependency perspective. It's not uncommon for us >>>>>> to have to change pom.xml in a way that dependabot could work with it. >>>>>> Which is much harder for projects like WF... >>>>>> >>>>>> The '{message: "ERROR: Invalid expression: >>>>>> /project/groupId}.channel"}' seemed to me to be a 'off by 1 error' >>>>>> and it really meant channels, but then again, that line >>>>>> <channels.maven.groupId>${project.groupId}.channels >>>>>> </channels.maven.groupId> is there since 2024, which seems to hint >>>>>> at something changing in dependabot. >>>>>> >>>>>> I ran out of options so I filed >>>>>> https://github.com/dependabot/dependabot-core/issues/13713 >>>>>> upstream. Feel free to add onto it. >>>>>> >>>>>> Rado >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Dec 3, 2025 at 10:36 PM Brian Stansberry via wildfly-dev < >>>>>> wildfly-dev(a)lists.jboss.org&gt; wrote: >>>>>> >>>>>>> I'm not asking anyone to do anything here; I'm just recording some >>>>>>> info about a curiosity in case we eventually dig more into it. >>>>>>> >>>>>>> We've been getting relatively few dependabot PRs lately, but there >>>>>>> are a lot of micros on this report, so that was interesting to me. >>>>>>> >>>>>>> Much of it is because we either deliberately disabled >>>>>>> dependabot for a GA (e.g. is some team manually manages the artifact as >>>>>>> part of a broader update strategy for whatever thing depends on it), or >>>>>>> because we explicitly closed a dependabot PR so some team could manually >>>>>>> deal with that artifact. All that's ok so long as teams don't forget. >>>>>>> >>>>>>> But there are a number of others that fail because dependabot fails >>>>>>> trying to generate the upgrade PR. These all have the same symptom in the >>>>>>> dependabot log: >>>>>>> >>>>>>> Handled error whilst updating the_groupId:the_artifact_id: >>>>>>> dependency_file_not_evaluatable {message: "ERROR: Invalid expression: >>>>>>> /project/groupId}.channel"} >>>>>>> >>>>>>> A gist at >>>>>>> https://gist.github.com/bstansberry/5bbd2b64ac324421628c08958c4210b8 >>>>>>> has more details. >>>>>>> >>>>>>> I poked a bit at some of the various relevant poms and didn't see >>>>>>> anything about "groupId}.channel" so ???. >>>>>>> >>>>>>> The root WF pom itself has "<channels.maven.groupId>${project.groupId}.channels</channels.maven.groupId>" >>>>>>> but that has the trailing 's', plus it's been there for ages, plus I'd >>>>>>> think if that was somehow problematic no dependabot PRs would work. But we >>>>>>> do get some. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Dec 3, 2025 at 9:51 AM Tomas Hofman via wildfly-dev < >>>>>>> wildfly-dev(a)lists.jboss.org&gt; wrote: >>>>>>> >>>>>>>> Component Upgrade Report >>>>>>>> >>>>>>>> Following repositories were searched: >>>>>>>> >>>>>>>> - Central https://repo1.maven.org/maven2/ >>>>>>>> - JBossPublic >>>>>>>> https://repository.jboss.org/nexus/content/repositories/public/ >>>>>>>> >>>>>>>> Possible Component Upgrades >>>>>>>> GAV New Version Repository Since >>>>>>>> com.fasterxml:classmate:1.5.1 >>>>>>>> ↳ Minor upgrade 1.7.1 Central 2025-10-01 >>>>>>>> com.fasterxml.woodstox:woodstox-core:7.0.0 >>>>>>>> ↳ Minor upgrade 7.1.1 Central 2025-06-04 >>>>>>>> com.google.api.grpc:proto-google-common-protos:2.0.1 >>>>>>>> ↳ Minor upgrade 2.63.1 Central 2025-11-12 >>>>>>>> com.google.code.gson:gson:2.13.1 2.13.2 Central 2025-09-17 >>>>>>>> com.google.guava:guava:33.0.0-jre >>>>>>>> ↳ Minor upgrade 33.5.0-jre Central 2025-09-24 >>>>>>>> com.google.protobuf:protobuf-java:4.28.3 >>>>>>>> ↳ Minor upgrade 4.33.1 Central 2025-11-19 >>>>>>>> com.h2database:h2:2.2.224 >>>>>>>> ↳ Minor upgrade 2.4.240 Central 2025-10-01 >>>>>>>> com.nimbusds:nimbus-jose-jwt:10.3.1 >>>>>>>> ↳ Minor upgrade 10.6 Central 2025-11-12 >>>>>>>> com.sun.istack:istack-commons-runtime:4.1.2 >>>>>>>> ↳ Minor upgrade 4.2.0 Central 2024-02-07 >>>>>>>> commons-codec:commons-codec:1.17.2 >>>>>>>> ↳ Minor upgrade 1.20.0 Central 2025-11-12 >>>>>>>> commons-collections:commons-collections:3.2.2 >>>>>>>> ↳ Very latest 20040616 Central 2024-02-07 >>>>>>>> commons-io:commons-io:2.16.1 >>>>>>>> ↳ Minor upgrade 2.21.0 Central 2025-11-12 >>>>>>>> de.dentrassi.crypto:pem-keystore:2.4.0 >>>>>>>> ↳ Very latest 3.0.0 Central 2024-11-20 >>>>>>>> io.agroal:agroal-api:2.0 >>>>>>>> ↳ Minor upgrade 2.8 Central 2025-08-20 >>>>>>>> io.github.resilience4j:resilience4j-core:2.2.0 >>>>>>>> ↳ Minor upgrade 2.3.0 Central 2025-01-08 >>>>>>>> io.grpc:grpc-api:1.70.0 >>>>>>>> ↳ Minor upgrade 1.77.0 Central 2025-11-19 >>>>>>>> io.micrometer:micrometer-commons:1.15.6 >>>>>>>> ↳ Minor upgrade 1.16.0 Central 2025-11-12 >>>>>>>> io.netty:netty-all:4.0.19.Final 4.0.56.Final Central 2024-02-07 >>>>>>>> ↳ Minor upgrade 4.2.7.Final Central 2025-10-15 >>>>>>>> io.netty:netty-bom:4.1.128.Final >>>>>>>> ↳ Minor upgrade 4.2.7.Final Central 2025-10-15 >>>>>>>> io.opentelemetry:opentelemetry-api:1.48.0 >>>>>>>> ↳ Minor upgrade 1.56.0 Central 2025-11-12 >>>>>>>> >>>>>>>> io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations:2.14.0 >>>>>>>> ↳ Minor upgrade 2.22.0 Central 2025-11-26 >>>>>>>> io.opentelemetry.semconv:opentelemetry-semconv:1.32.0 >>>>>>>> ↳ Minor upgrade 1.37.0 Central 2025-09-03 >>>>>>>> io.prometheus:prometheus-metrics-config:1.3.3 1.3.10 Central >>>>>>>> 2025-07-09 >>>>>>>> ↳ Minor upgrade 1.4.3 Central 2025-11-12 >>>>>>>> io.smallrye:smallrye-jwt:4.3.1 >>>>>>>> ↳ Minor upgrade 4.6.2 Central 2025-05-28 >>>>>>>> io.smallrye:smallrye-open-api-core:4.2.1 4.2.3 Central 2025-11-26 >>>>>>>> io.smallrye.config:smallrye-config:3.13.4 >>>>>>>> ↳ Minor upgrade 3.14.1 Central 2025-10-15 >>>>>>>> io.smallrye.reactive:mutiny:2.8.0 >>>>>>>> ↳ Minor upgrade 2.9.5 Central 2025-10-29 >>>>>>>> ↳ Very latest 3.1.0 Central new >>>>>>>> io.smallrye.reactive:smallrye-mutiny-vertx-amqp-client:3.17.1 >>>>>>>> ↳ Minor upgrade 3.21.1 Central new >>>>>>>> io.smallrye.reactive:smallrye-reactive-converter-api:2.6.0 >>>>>>>> ↳ Minor upgrade 2.7.0 Central 2024-02-07 >>>>>>>> ↳ Very latest 3.0.3 Central 2025-04-16 >>>>>>>> io.smallrye.reactive:smallrye-reactive-messaging-amqp:4.30.0 >>>>>>>> ↳ Minor upgrade 4.31.0 Central 2025-11-12 >>>>>>>> io.vertx:vertx-amqp-client:4.5.22 >>>>>>>> ↳ Very latest 5.0.5 Central 2025-10-22 >>>>>>>> io.vertx:vertx-kafka-client:4.4.9 >>>>>>>> ↳ Minor upgrade 4.5.22 Central 2025-10-22 >>>>>>>> ↳ Very latest 5.0.5 Central 2025-10-22 >>>>>>>> jakarta.annotation:jakarta.annotation-api:2.1.1 >>>>>>>> ↳ Very latest 3.0.0 Central 2024-04-10 >>>>>>>> jakarta.enterprise:jakarta.enterprise.cdi-api:2.0.2 >>>>>>>> ↳ Very latest 4.1.0 Central 2024-04-17 >>>>>>>> jakarta.enterprise:jakarta.enterprise.cdi-api:4.0.1 >>>>>>>> ↳ Minor upgrade 4.1.0 Central 2024-04-17 >>>>>>>> >>>>>>>> jakarta.enterprise.concurrent:jakarta.enterprise.concurrent-api:3.0.3 >>>>>>>> 3.0.4 Central 2024-07-03 >>>>>>>> ↳ Minor upgrade 3.1.1 Central 2024-06-26 >>>>>>>> jakarta.faces:jakarta.faces-api:4.0.1 >>>>>>>> ↳ Minor upgrade 4.1.2 Central 2024-11-06 >>>>>>>> jakarta.inject:jakarta.inject-api:1.0.5 >>>>>>>> ↳ Very latest 2.0.1 Central 2024-02-07 >>>>>>>> jakarta.mail:jakarta.mail-api:2.1.3 2.1.5 Central 2025-09-24 >>>>>>>> jakarta.mvc:jakarta.mvc-api:2.1.0 >>>>>>>> ↳ Very latest 3.0.0 Central 2025-05-14 >>>>>>>> jakarta.persistence:jakarta.persistence-api:3.1.0 >>>>>>>> ↳ Minor upgrade 3.2.0 Central 2024-05-22 >>>>>>>> jakarta.security.enterprise:jakarta.security.enterprise-api:3.0.0 >>>>>>>> ↳ Very latest 4.0.0 Central 2024-06-26 >>>>>>>> jakarta.servlet:jakarta.servlet-api:6.0.0 >>>>>>>> ↳ Minor upgrade 6.1.0 Central 2024-06-12 >>>>>>>> jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.1.1 >>>>>>>> ↳ Very latest 4.0.0 Central 2024-06-12 >>>>>>>> jakarta.validation:jakarta.validation-api:3.0.2 >>>>>>>> ↳ Minor upgrade 3.1.1 Central 2025-02-05 >>>>>>>> jakarta.websocket:jakarta.websocket-api:2.1.1 >>>>>>>> ↳ Minor upgrade 2.2.0 Central 2024-05-29 >>>>>>>> jakarta.ws.rs:jakarta.ws.rs-api:3.1.0 >>>>>>>> ↳ Very latest 4.0.0 Central 2024-05-08 >>>>>>>> joda-time:joda-time:2.12.7 >>>>>>>> ↳ Minor upgrade 2.14.0 Central 2025-04-02 >>>>>>>> net.bytebuddy:byte-buddy:1.15.11 >>>>>>>> ↳ Minor upgrade 1.18.2 Central 2025-12-03 >>>>>>>> net.bytebuddy:byte-buddy:1.17.6 1.17.8 Central 2025-10-15 >>>>>>>> ↳ Minor upgrade 1.18.2 Central new >>>>>>>> net.shibboleth.utilities:java-support:8.0.0 >>>>>>>> ↳ Minor upgrade 8.4.2 JBossPublic 2024-04-17 >>>>>>>> org.antlr:antlr4:4.13.0 4.13.2 Central 2024-08-14 >>>>>>>> org.apache.avro:avro:1.12.0 1.12.1 Central 2025-10-22 >>>>>>>> org.apache.cxf:cxf-core:4.0.10 >>>>>>>> ↳ Minor upgrade 4.1.4 Central 2025-11-19 >>>>>>>> org.apache.cxf.xjc-utils:cxf-xjc-runtime:4.1.0 4.1.1 Central >>>>>>>> 2025-10-29 >>>>>>>> org.apache.kafka:kafka-clients:3.9.1 >>>>>>>> ↳ Very latest 4.1.1 Central 2025-11-19 >>>>>>>> org.apache.kerby:kerb-server-api-all:2.0.3 >>>>>>>> ↳ Minor upgrade 2.1.1 Central 2025-11-26 >>>>>>>> org.apache.lucene:lucene-analysis-common:9.11.1 >>>>>>>> ↳ Minor upgrade 9.12.3 Central 2025-10-01 >>>>>>>> ↳ Very latest 10.3.2 Central 2025-11-19 >>>>>>>> org.apache.lucene:lucene-analysis-common:9.12.2 9.12.3 Central >>>>>>>> 2025-10-01 >>>>>>>> ↳ Very latest 10.3.2 Central 2025-11-19 >>>>>>>> org.apache.santuario:xmlsec:3.0.6 >>>>>>>> ↳ Very latest 4.0.4 Central 2025-04-16 >>>>>>>> org.apache.ws.xmlschema:xmlschema-core:2.3.0 2.3.2 Central >>>>>>>> 2025-11-05 >>>>>>>> org.apache.wss4j:wss4j-bindings:3.0.5 >>>>>>>> ↳ Very latest 4.0.1 Central 2025-11-05 >>>>>>>> org.assertj:assertj-bom:3.26.3 >>>>>>>> ↳ Minor upgrade 3.27.6 Central 2025-09-24 >>>>>>>> org.cryptacular:cryptacular:1.2.5 1.2.7 Central 2024-08-21 >>>>>>>> org.eclipse.angus:angus-mail:2.0.4 2.0.5 Central 2025-09-24 >>>>>>>> org.eclipse.jdt:ecj:3.33.0 >>>>>>>> ↳ Minor upgrade 3.43.0 Central 2025-09-10 >>>>>>>> org.eclipse.krazo:krazo-core:3.0.1 >>>>>>>> ↳ Very latest 4.0.1 Central 2025-06-11 >>>>>>>> org.elasticsearch.client:elasticsearch-rest-client:8.15.4 8.15.5 >>>>>>>> Central 2024-11-27 >>>>>>>> ↳ Minor upgrade 8.19.8 Central new >>>>>>>> ↳ Very latest 9.2.2 Central 2025-12-03 >>>>>>>> org.elasticsearch.client:elasticsearch-rest-client:9.1.3 9.1.8 >>>>>>>> Central new >>>>>>>> ↳ Minor upgrade 9.2.2 Central new >>>>>>>> org.glassfish:jakarta.faces:4.0.12 >>>>>>>> ↳ Minor upgrade 4.1.4 Central 2025-09-17 >>>>>>>> org.glassfish:jakarta.faces:4.1.3 4.1.4 Central 2025-09-17 >>>>>>>> org.glassfish.expressly:expressly:5.0.0 >>>>>>>> ↳ Very latest 6.0.0 Central 2025-05-21 >>>>>>>> org.glassfish.soteria:jakarta.security.enterprise:3.0.3 3.0.4 >>>>>>>> Central 2025-08-20 >>>>>>>> org.hibernate.orm:hibernate-core:6.6.37.Final 6.6.38.Final Central >>>>>>>> new >>>>>>>> ↳ Very latest 7.1.11.Final Central 2025-12-03 >>>>>>>> org.hibernate.orm:hibernate-core:7.1.2.Final 7.1.11.Final Central >>>>>>>> new >>>>>>>> >>>>>>>> org.hibernate.search:hibernate-search-backend-elasticsearch:7.2.4.Final >>>>>>>> ↳ Very latest 8.1.2.Final Central 2025-09-10 >>>>>>>> org.hibernate.validator:hibernate-validator:8.0.3.Final >>>>>>>> ↳ Very latest 9.1.0.Final Central 2025-11-12 >>>>>>>> org.infinispan:infinispan-bom:15.2.6.Final >>>>>>>> ↳ Very latest 16.0.3 Central new >>>>>>>> org.jboss.genericjms:generic-jms-ra-jar:3.0.0.Final >>>>>>>> ↳ Minor upgrade 3.1.0 Central 2024-02-07 >>>>>>>> org.jboss.openjdk-orb:openjdk-orb:10.1.1.Final 10.1.3.Final >>>>>>>> Central 2025-11-12 >>>>>>>> org.jboss.resteasy:resteasy-atom-provider:6.2.14.Final >>>>>>>> ↳ Very latest 7.0.0.Final Central 2025-10-01 >>>>>>>> org.jboss.weld:weld-api:5.0.SP3 >>>>>>>> ↳ Very latest 6.0.Final Central 2024-12-18 >>>>>>>> org.jboss.weld:weld-core-impl:5.1.6.Final >>>>>>>> ↳ Very latest 6.0.3.Final Central 2025-05-21 >>>>>>>> org.jgroups:jgroups:5.4.12.Final >>>>>>>> ↳ Minor upgrade 5.5.1.Final Central 2025-11-12 >>>>>>>> org.junit:junit-bom:5.14.1 >>>>>>>> ↳ Very latest 6.0.1 Central 2025-11-05 >>>>>>>> org.lz4:lz4-java:1.8.0 1.8.1 Central new >>>>>>>> org.opensaml:opensaml-profile-api:4.3.2 >>>>>>>> ↳ Very latest 5.1.6 JBossPublic 2025-08-27 >>>>>>>> org.ow2.asm:asm:9.7.1 >>>>>>>> ↳ Minor upgrade 9.9 Central 2025-10-15 >>>>>>>> org.wildfly:wildfly-naming-client:1.0.17.Final >>>>>>>> ↳ Minor upgrade 1.1.0.Final Central 2024-02-07 >>>>>>>> ↳ Very latest 2.0.1.Final Central 2024-02-07 >>>>>>>> org.wildfly.glow:wildfly-glow-core:1.5.1.Final 1.5.2.Final Central >>>>>>>> 2025-10-22 >>>>>>>> org.xerial.snappy:snappy-java:1.1.10.5 1.1.10.8 Central 2025-07-24 >>>>>>>> software.amazon.awssdk:annotations:2.36.3 >>>>>>>> ↳ Minor upgrade 2.40.0 Central new >>>>>>>> 92 items >>>>>>>> >>>>>>>> Generated on 2025-12-03 >>>>>>>> >>>>>>>> Report generated by Maven Dependency Updater >>>>>>>> <https://github.com/jboss-set/maven-dependency-updater> >>>>>>>> _______________________________________________ >>>>>>>> wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org >>>>>>>> To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org >>>>>>>> Privacy Statement: https://www.redhat.com/en/about/privacy-policy >>>>>>>> List Archives: >>>>>>>> https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Brian Stansberry >>>>>>> Architect, JBoss EAP >>>>>>> WildFly Project Lead >>>>>>> He/Him/His >>>>>>> _______________________________________________ >>>>>>> wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org >>>>>>> To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org >>>>>>> Privacy Statement: https://www.redhat.com/en/about/privacy-policy >>>>>>> List Archives: >>>>>>> https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Brian Stansberry >>>>> Architect, JBoss EAP >>>>> WildFly Project Lead >>>>> He/Him/His >>>>> >>>> >>>> >>>> -- >>>> Brian Stansberry >>>> Collaborative Partner - IBM >>>> Architect, JBoss EAP >>>> WildFly Project Lead >>>> He/Him/His >>>> >>> >>> >>> -- >>> Brian Stansberry >>> Collaborative Partner - IBM >>> Architect, JBoss EAP >>> WildFly Project Lead >>> He/Him/His >>> >> -- Brian Stansberry Collaborative Partner - IBM Architect, JBoss EAP WildFly Project Lead He/Him/His