[wildfly-dev] Re: Dependabot problems WAS: Possible component upgrades report - wildfly:main

Just to share where we stand on fixing this upstream, the issue has been raised as https://github.com/dependabot/dependabot-core/issues/13713 and there is already a fix available at https://github.com/dependabot/dependabot-core/pull/13746 I asked if there is something we can do to help move this forward. Also, just to note, when I try to restart the dependabot workflows - they aren't re-runnable :-( > Warning: Dependabot workflows cannot be re-run. Retrigger this update via Dependabot instead. Rado On Mon, Jan 26, 2026 at 8:35 PM Brian Stansberry <bstansbe(a)redhat.com&gt; wrote: > Looking at > https://github.com/wildfly/wildfly/actions/workflows/dependabot/dependabo..., > it looks like the last time a 'maven in' job ran was Dec 30. Since then > it's only 'github_actions in' jobs. > > On Mon, Jan 26, 2026 at 1:20 PM Brian Stansberry <bstansbe(a)redhat.com&gt; > wrote: > >> I'm forking this into a separate thread as it looks like dependabot's >> not submitting PRs at all to wildfly/wildfly in a number of weeks. >> >> I haven't looked into why. >> >> Until that is sorted please pay extra attention to these 'Possible >> component upgrades report' emails and be proactive about sending up upgrade >> PRs in areas you are responsible for. >> >> On Fri, Dec 5, 2025 at 11:22 AM Brian Stansberry <bstansbe(a)redhat.com&gt; >> wrote: >> >>> Thanks, Rado! Hopefully the dependabot folks will figure it out. >>> >>> On Fri, Dec 5, 2025 at 3:46 AM Radoslav Husar <rhusar(a)redhat.com&gt; >>> wrote: >>> >>>> Funny enough, I was investigating this too last week and concluded >>>> it's most likely a dependabot bug. It is a relatively common problem that >>>> it stumbles with complicated projects and WildFly is inevitably a >>>> complicated project from a dependency perspective. It's not uncommon for us >>>> to have to change pom.xml in a way that dependabot could work with it. >>>> Which is much harder for projects like WF... >>>> >>>> The '{message: "ERROR: Invalid expression: >>>> /project/groupId}.channel"}' seemed to me to be a 'off by 1 error' >>>> and it really meant channels, but then again, that line >>>> <channels.maven.groupId>${project.groupId}.channels >>>> </channels.maven.groupId> is there since 2024, which seems to hint at >>>> something changing in dependabot. >>>> >>>> I ran out of options so I filed >>>> https://github.com/dependabot/dependabot-core/issues/13713 upstream. >>>> Feel free to add onto it. >>>> >>>> Rado >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Dec 3, 2025 at 10:36 PM Brian Stansberry via wildfly-dev < >>>> wildfly-dev(a)lists.jboss.org&gt; wrote: >>>> >>>>> I'm not asking anyone to do anything here; I'm just recording some >>>>> info about a curiosity in case we eventually dig more into it. >>>>> >>>>> We've been getting relatively few dependabot PRs lately, but there >>>>> are a lot of micros on this report, so that was interesting to me. >>>>> >>>>> Much of it is because we either deliberately disabled dependabot for >>>>> a GA (e.g. is some team manually manages the artifact as part of a broader >>>>> update strategy for whatever thing depends on it), or because we explicitly >>>>> closed a dependabot PR so some team could manually deal with that artifact. >>>>> All that's ok so long as teams don't forget. >>>>> >>>>> But there are a number of others that fail because dependabot fails >>>>> trying to generate the upgrade PR. These all have the same symptom in the >>>>> dependabot log: >>>>> >>>>> Handled error whilst updating the_groupId:the_artifact_id: >>>>> dependency_file_not_evaluatable {message: "ERROR: Invalid expression: >>>>> /project/groupId}.channel"} >>>>> >>>>> A gist at >>>>> https://gist.github.com/bstansberry/5bbd2b64ac324421628c08958c4210b8 >>>>> has more details. >>>>> >>>>> I poked a bit at some of the various relevant poms and didn't see >>>>> anything about "groupId}.channel" so ???. >>>>> >>>>> The root WF pom itself has "<channels.maven.groupId>${project.groupId}.channels</channels.maven.groupId>" >>>>> but that has the trailing 's', plus it's been there for ages, plus I'd >>>>> think if that was somehow problematic no dependabot PRs would work. But we >>>>> do get some. >>>>> >>>>> >>>>> >>>>> On Wed, Dec 3, 2025 at 9:51 AM Tomas Hofman via wildfly-dev < >>>>> wildfly-dev(a)lists.jboss.org&gt; wrote: >>>>> >>>>>> Component Upgrade Report >>>>>> >>>>>> Following repositories were searched: >>>>>> >>>>>> - Central https://repo1.maven.org/maven2/ >>>>>> - JBossPublic >>>>>> https://repository.jboss.org/nexus/content/repositories/public/ >>>>>> >>>>>> Possible Component Upgrades >>>>>> GAV New Version Repository Since >>>>>> com.fasterxml:classmate:1.5.1 >>>>>> ↳ Minor upgrade 1.7.1 Central 2025-10-01 >>>>>> com.fasterxml.woodstox:woodstox-core:7.0.0 >>>>>> ↳ Minor upgrade 7.1.1 Central 2025-06-04 >>>>>> com.google.api.grpc:proto-google-common-protos:2.0.1 >>>>>> ↳ Minor upgrade 2.63.1 Central 2025-11-12 >>>>>> com.google.code.gson:gson:2.13.1 2.13.2 Central 2025-09-17 >>>>>> com.google.guava:guava:33.0.0-jre >>>>>> ↳ Minor upgrade 33.5.0-jre Central 2025-09-24 >>>>>> com.google.protobuf:protobuf-java:4.28.3 >>>>>> ↳ Minor upgrade 4.33.1 Central 2025-11-19 >>>>>> com.h2database:h2:2.2.224 >>>>>> ↳ Minor upgrade 2.4.240 Central 2025-10-01 >>>>>> com.nimbusds:nimbus-jose-jwt:10.3.1 >>>>>> ↳ Minor upgrade 10.6 Central 2025-11-12 >>>>>> com.sun.istack:istack-commons-runtime:4.1.2 >>>>>> ↳ Minor upgrade 4.2.0 Central 2024-02-07 >>>>>> commons-codec:commons-codec:1.17.2 >>>>>> ↳ Minor upgrade 1.20.0 Central 2025-11-12 >>>>>> commons-collections:commons-collections:3.2.2 >>>>>> ↳ Very latest 20040616 Central 2024-02-07 >>>>>> commons-io:commons-io:2.16.1 >>>>>> ↳ Minor upgrade 2.21.0 Central 2025-11-12 >>>>>> de.dentrassi.crypto:pem-keystore:2.4.0 >>>>>> ↳ Very latest 3.0.0 Central 2024-11-20 >>>>>> io.agroal:agroal-api:2.0 >>>>>> ↳ Minor upgrade 2.8 Central 2025-08-20 >>>>>> io.github.resilience4j:resilience4j-core:2.2.0 >>>>>> ↳ Minor upgrade 2.3.0 Central 2025-01-08 >>>>>> io.grpc:grpc-api:1.70.0 >>>>>> ↳ Minor upgrade 1.77.0 Central 2025-11-19 >>>>>> io.micrometer:micrometer-commons:1.15.6 >>>>>> ↳ Minor upgrade 1.16.0 Central 2025-11-12 >>>>>> io.netty:netty-all:4.0.19.Final 4.0.56.Final Central 2024-02-07 >>>>>> ↳ Minor upgrade 4.2.7.Final Central 2025-10-15 >>>>>> io.netty:netty-bom:4.1.128.Final >>>>>> ↳ Minor upgrade 4.2.7.Final Central 2025-10-15 >>>>>> io.opentelemetry:opentelemetry-api:1.48.0 >>>>>> ↳ Minor upgrade 1.56.0 Central 2025-11-12 >>>>>> >>>>>> io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations:2.14.0 >>>>>> ↳ Minor upgrade 2.22.0 Central 2025-11-26 >>>>>> io.opentelemetry.semconv:opentelemetry-semconv:1.32.0 >>>>>> ↳ Minor upgrade 1.37.0 Central 2025-09-03 >>>>>> io.prometheus:prometheus-metrics-config:1.3.3 1.3.10 Central >>>>>> 2025-07-09 >>>>>> ↳ Minor upgrade 1.4.3 Central 2025-11-12 >>>>>> io.smallrye:smallrye-jwt:4.3.1 >>>>>> ↳ Minor upgrade 4.6.2 Central 2025-05-28 >>>>>> io.smallrye:smallrye-open-api-core:4.2.1 4.2.3 Central 2025-11-26 >>>>>> io.smallrye.config:smallrye-config:3.13.4 >>>>>> ↳ Minor upgrade 3.14.1 Central 2025-10-15 >>>>>> io.smallrye.reactive:mutiny:2.8.0 >>>>>> ↳ Minor upgrade 2.9.5 Central 2025-10-29 >>>>>> ↳ Very latest 3.1.0 Central new >>>>>> io.smallrye.reactive:smallrye-mutiny-vertx-amqp-client:3.17.1 >>>>>> ↳ Minor upgrade 3.21.1 Central new >>>>>> io.smallrye.reactive:smallrye-reactive-converter-api:2.6.0 >>>>>> ↳ Minor upgrade 2.7.0 Central 2024-02-07 >>>>>> ↳ Very latest 3.0.3 Central 2025-04-16 >>>>>> io.smallrye.reactive:smallrye-reactive-messaging-amqp:4.30.0 >>>>>> ↳ Minor upgrade 4.31.0 Central 2025-11-12 >>>>>> io.vertx:vertx-amqp-client:4.5.22 >>>>>> ↳ Very latest 5.0.5 Central 2025-10-22 >>>>>> io.vertx:vertx-kafka-client:4.4.9 >>>>>> ↳ Minor upgrade 4.5.22 Central 2025-10-22 >>>>>> ↳ Very latest 5.0.5 Central 2025-10-22 >>>>>> jakarta.annotation:jakarta.annotation-api:2.1.1 >>>>>> ↳ Very latest 3.0.0 Central 2024-04-10 >>>>>> jakarta.enterprise:jakarta.enterprise.cdi-api:2.0.2 >>>>>> ↳ Very latest 4.1.0 Central 2024-04-17 >>>>>> jakarta.enterprise:jakarta.enterprise.cdi-api:4.0.1 >>>>>> ↳ Minor upgrade 4.1.0 Central 2024-04-17 >>>>>> jakarta.enterprise.concurrent:jakarta.enterprise.concurrent-api:3.0.3 >>>>>> 3.0.4 Central 2024-07-03 >>>>>> ↳ Minor upgrade 3.1.1 Central 2024-06-26 >>>>>> jakarta.faces:jakarta.faces-api:4.0.1 >>>>>> ↳ Minor upgrade 4.1.2 Central 2024-11-06 >>>>>> jakarta.inject:jakarta.inject-api:1.0.5 >>>>>> ↳ Very latest 2.0.1 Central 2024-02-07 >>>>>> jakarta.mail:jakarta.mail-api:2.1.3 2.1.5 Central 2025-09-24 >>>>>> jakarta.mvc:jakarta.mvc-api:2.1.0 >>>>>> ↳ Very latest 3.0.0 Central 2025-05-14 >>>>>> jakarta.persistence:jakarta.persistence-api:3.1.0 >>>>>> ↳ Minor upgrade 3.2.0 Central 2024-05-22 >>>>>> jakarta.security.enterprise:jakarta.security.enterprise-api:3.0.0 >>>>>> ↳ Very latest 4.0.0 Central 2024-06-26 >>>>>> jakarta.servlet:jakarta.servlet-api:6.0.0 >>>>>> ↳ Minor upgrade 6.1.0 Central 2024-06-12 >>>>>> jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.1.1 >>>>>> ↳ Very latest 4.0.0 Central 2024-06-12 >>>>>> jakarta.validation:jakarta.validation-api:3.0.2 >>>>>> ↳ Minor upgrade 3.1.1 Central 2025-02-05 >>>>>> jakarta.websocket:jakarta.websocket-api:2.1.1 >>>>>> ↳ Minor upgrade 2.2.0 Central 2024-05-29 >>>>>> jakarta.ws.rs:jakarta.ws.rs-api:3.1.0 >>>>>> ↳ Very latest 4.0.0 Central 2024-05-08 >>>>>> joda-time:joda-time:2.12.7 >>>>>> ↳ Minor upgrade 2.14.0 Central 2025-04-02 >>>>>> net.bytebuddy:byte-buddy:1.15.11 >>>>>> ↳ Minor upgrade 1.18.2 Central 2025-12-03 >>>>>> net.bytebuddy:byte-buddy:1.17.6 1.17.8 Central 2025-10-15 >>>>>> ↳ Minor upgrade 1.18.2 Central new >>>>>> net.shibboleth.utilities:java-support:8.0.0 >>>>>> ↳ Minor upgrade 8.4.2 JBossPublic 2024-04-17 >>>>>> org.antlr:antlr4:4.13.0 4.13.2 Central 2024-08-14 >>>>>> org.apache.avro:avro:1.12.0 1.12.1 Central 2025-10-22 >>>>>> org.apache.cxf:cxf-core:4.0.10 >>>>>> ↳ Minor upgrade 4.1.4 Central 2025-11-19 >>>>>> org.apache.cxf.xjc-utils:cxf-xjc-runtime:4.1.0 4.1.1 Central >>>>>> 2025-10-29 >>>>>> org.apache.kafka:kafka-clients:3.9.1 >>>>>> ↳ Very latest 4.1.1 Central 2025-11-19 >>>>>> org.apache.kerby:kerb-server-api-all:2.0.3 >>>>>> ↳ Minor upgrade 2.1.1 Central 2025-11-26 >>>>>> org.apache.lucene:lucene-analysis-common:9.11.1 >>>>>> ↳ Minor upgrade 9.12.3 Central 2025-10-01 >>>>>> ↳ Very latest 10.3.2 Central 2025-11-19 >>>>>> org.apache.lucene:lucene-analysis-common:9.12.2 9.12.3 Central >>>>>> 2025-10-01 >>>>>> ↳ Very latest 10.3.2 Central 2025-11-19 >>>>>> org.apache.santuario:xmlsec:3.0.6 >>>>>> ↳ Very latest 4.0.4 Central 2025-04-16 >>>>>> org.apache.ws.xmlschema:xmlschema-core:2.3.0 2.3.2 Central >>>>>> 2025-11-05 >>>>>> org.apache.wss4j:wss4j-bindings:3.0.5 >>>>>> ↳ Very latest 4.0.1 Central 2025-11-05 >>>>>> org.assertj:assertj-bom:3.26.3 >>>>>> ↳ Minor upgrade 3.27.6 Central 2025-09-24 >>>>>> org.cryptacular:cryptacular:1.2.5 1.2.7 Central 2024-08-21 >>>>>> org.eclipse.angus:angus-mail:2.0.4 2.0.5 Central 2025-09-24 >>>>>> org.eclipse.jdt:ecj:3.33.0 >>>>>> ↳ Minor upgrade 3.43.0 Central 2025-09-10 >>>>>> org.eclipse.krazo:krazo-core:3.0.1 >>>>>> ↳ Very latest 4.0.1 Central 2025-06-11 >>>>>> org.elasticsearch.client:elasticsearch-rest-client:8.15.4 8.15.5 >>>>>> Central 2024-11-27 >>>>>> ↳ Minor upgrade 8.19.8 Central new >>>>>> ↳ Very latest 9.2.2 Central 2025-12-03 >>>>>> org.elasticsearch.client:elasticsearch-rest-client:9.1.3 9.1.8 >>>>>> Central new >>>>>> ↳ Minor upgrade 9.2.2 Central new >>>>>> org.glassfish:jakarta.faces:4.0.12 >>>>>> ↳ Minor upgrade 4.1.4 Central 2025-09-17 >>>>>> org.glassfish:jakarta.faces:4.1.3 4.1.4 Central 2025-09-17 >>>>>> org.glassfish.expressly:expressly:5.0.0 >>>>>> ↳ Very latest 6.0.0 Central 2025-05-21 >>>>>> org.glassfish.soteria:jakarta.security.enterprise:3.0.3 3.0.4 >>>>>> Central 2025-08-20 >>>>>> org.hibernate.orm:hibernate-core:6.6.37.Final 6.6.38.Final Central >>>>>> new >>>>>> ↳ Very latest 7.1.11.Final Central 2025-12-03 >>>>>> org.hibernate.orm:hibernate-core:7.1.2.Final 7.1.11.Final Central >>>>>> new >>>>>> >>>>>> org.hibernate.search:hibernate-search-backend-elasticsearch:7.2.4.Final >>>>>> ↳ Very latest 8.1.2.Final Central 2025-09-10 >>>>>> org.hibernate.validator:hibernate-validator:8.0.3.Final >>>>>> ↳ Very latest 9.1.0.Final Central 2025-11-12 >>>>>> org.infinispan:infinispan-bom:15.2.6.Final >>>>>> ↳ Very latest 16.0.3 Central new >>>>>> org.jboss.genericjms:generic-jms-ra-jar:3.0.0.Final >>>>>> ↳ Minor upgrade 3.1.0 Central 2024-02-07 >>>>>> org.jboss.openjdk-orb:openjdk-orb:10.1.1.Final 10.1.3.Final Central >>>>>> 2025-11-12 >>>>>> org.jboss.resteasy:resteasy-atom-provider:6.2.14.Final >>>>>> ↳ Very latest 7.0.0.Final Central 2025-10-01 >>>>>> org.jboss.weld:weld-api:5.0.SP3 >>>>>> ↳ Very latest 6.0.Final Central 2024-12-18 >>>>>> org.jboss.weld:weld-core-impl:5.1.6.Final >>>>>> ↳ Very latest 6.0.3.Final Central 2025-05-21 >>>>>> org.jgroups:jgroups:5.4.12.Final >>>>>> ↳ Minor upgrade 5.5.1.Final Central 2025-11-12 >>>>>> org.junit:junit-bom:5.14.1 >>>>>> ↳ Very latest 6.0.1 Central 2025-11-05 >>>>>> org.lz4:lz4-java:1.8.0 1.8.1 Central new >>>>>> org.opensaml:opensaml-profile-api:4.3.2 >>>>>> ↳ Very latest 5.1.6 JBossPublic 2025-08-27 >>>>>> org.ow2.asm:asm:9.7.1 >>>>>> ↳ Minor upgrade 9.9 Central 2025-10-15 >>>>>> org.wildfly:wildfly-naming-client:1.0.17.Final >>>>>> ↳ Minor upgrade 1.1.0.Final Central 2024-02-07 >>>>>> ↳ Very latest 2.0.1.Final Central 2024-02-07 >>>>>> org.wildfly.glow:wildfly-glow-core:1.5.1.Final 1.5.2.Final Central >>>>>> 2025-10-22 >>>>>> org.xerial.snappy:snappy-java:1.1.10.5 1.1.10.8 Central 2025-07-24 >>>>>> software.amazon.awssdk:annotations:2.36.3 >>>>>> ↳ Minor upgrade 2.40.0 Central new >>>>>> 92 items >>>>>> >>>>>> Generated on 2025-12-03 >>>>>> >>>>>> Report generated by Maven Dependency Updater >>>>>> <https://github.com/jboss-set/maven-dependency-updater> >>>>>> _______________________________________________ >>>>>> wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org >>>>>> To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org >>>>>> Privacy Statement: https://www.redhat.com/en/about/privacy-policy >>>>>> List Archives: >>>>>> https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... >>>>>> >>>>> >>>>> >>>>> -- >>>>> Brian Stansberry >>>>> Architect, JBoss EAP >>>>> WildFly Project Lead >>>>> He/Him/His >>>>> _______________________________________________ >>>>> wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org >>>>> To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org >>>>> Privacy Statement: https://www.redhat.com/en/about/privacy-policy >>>>> List Archives: >>>>> https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... >>>>> >>>> >>> >>> -- >>> Brian Stansberry >>> Architect, JBoss EAP >>> WildFly Project Lead >>> He/Him/His >>> >> >> >> -- >> Brian Stansberry >> Collaborative Partner - IBM >> Architect, JBoss EAP >> WildFly Project Lead >> He/Him/His >> > > > -- > Brian Stansberry > Collaborative Partner - IBM > Architect, JBoss EAP > WildFly Project Lead > He/Him/His >