Description
In Maven, it is common for third party companies to publish artifacts with the same name but with different suffixes in the version. They often follow a different release schedule
Examples:
- Kafka libraries where confluent publishes versions with
-ce (confluent platform) and ccs(community edition)
- Many Apache Spark providers
While suggesting an upgrade, Dependabot should take this into consideration to avoid suggesting an upgrade to a different provider or to move from an OSS version to a provider (like the bug below)
Is there an existing issue for this?
Package ecosystem
maven
dependabot.yml content
version: 2
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "monthly"
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-major"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "monthly"
ignore:
- dependency-name: "*"
update-types:
- "version-update:semver-major"Updated dependency
- org.apache.kafka:kafka-streams
What you expected to see, versus what you actually saw
Expected:
Dependabot should consider the version suffix and upgrade from -css to -css :
- Bump org.apache.kafka:kafka-streams from 7.9.4-ccs to 7.9.5-css
Actual:
Dependabot created an incompatible version:
- Bump org.apache.kafka:kafka-streams from 7.9.2-ccs to 7.9.5-ce
Images of the diff or a link to the PR, issue, or logs
From 1737c8e155ec129987c57d029eabdbbf5626ea53 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 18 Dec 2025 00:04:18 +0000
Subject: [PATCH] Bump org.apache.kafka:kafka-streams from 7.9.2-ccs to
7.9.5-ce
Bumps org.apache.kafka:kafka-streams from 7.9.2-ccs to 7.9.5-ce.
---
updated-dependencies:
- dependency-name: org.apache.kafka:kafka-streams
dependency-version: 7.9.5-ce
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 9c12892..e5fc4a8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,7 @@
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-streams</artifactId>
- <version>7.9.2-ccs</version>
+ <version>7.9.5-ce</version>
</dependency>
</dependencies>
</project>
Public example(different dependency, but the same problem): kafbat/kafka-ui#909
Smallest manifest that reproduces the issue
<?xml version="1.0" encoding="UTF-8"?>
<project
xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.test</groupId>
<artifactId>test</artifactId>
<packaging>jar</packaging>
<version>1.0-SNAPSHOT</version>
<name>demos</name>
<repositories>
<repository>
<id>confluent-packages</id>
<url>https://packages.confluent.io/maven</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka-streams</artifactId>
<version>7.9.2-ccs</version>
</dependency>
</dependencies>
</project>
Description
In Maven, it is common for third party companies to publish artifacts with the same name but with different suffixes in the version. They often follow a different release schedule
Examples:
-ce(confluent platform) andccs(community edition)While suggesting an upgrade, Dependabot should take this into consideration to avoid suggesting an upgrade to a different provider or to move from an OSS version to a provider (like the bug below)
Is there an existing issue for this?
Package ecosystem
maven
dependabot.yml content
Updated dependency
What you expected to see, versus what you actually saw
Expected:
Dependabot should consider the version suffix and upgrade from
-cssto-css:Actual:
Dependabot created an incompatible version:
Images of the diff or a link to the PR, issue, or logs
Public example(different dependency, but the same problem): kafbat/kafka-ui#909
Smallest manifest that reproduces the issue