Dependabot uses the information defined in pom.xml
files to create pull requests to update Java dependencies for the Gradle and Maven ecosystems. When you include the project metadata that Dependabot expects, pull requests contain links to the release notes for the suggested package update and a link where users can report any issues. This information means that users can update their packages with confidence after reviewing all the release information.
Including the metadata Dependabot needs in pom.xml files
Dependabot uses the URLs for the project, the source code management system, and the issue management system to build the summary for update pull requests.
url
the home page for the project, see More Project Information in the POM referencescm
the URL of the source code management system used by the project, see SCM in the POM ReferenceissueManagement
the URL of the issue management system used by the project, see Issue Management in the POM Reference
Example for a project hosted on GitHub
<project>
<url>https://github.com/OWNER/REPOSITORY</url>
<scm>
<url>https://github.com/OWNER/REPOSITORY</url>
</scm>
<issueManagement>
<url>https://github.com/OWNER/REPOSITORY/issues</url>
</issueManagement>
</project>
Replace OWNER
and REPOSITORY
with the detailed for your project.
Impact of omitting project metadata from pom.xml files
If you forget to include the URLs that Dependabot checks for, then pull requests to update Java packages are still created. However, the information available to users in the pull request summary will be limited.
- Project repository or Source code management URL undefined: no links to release notes in Dependabot pull requests
- Issue management URL undefined: no link to the issues page for reporting problems.
Adding this information helps Dependabot provide better, more accurate updates for your project, complete with helpful links to release notes and issue trackers.