Maven dependencies updated without respecting compatibility

[rubasace]

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us what version of Renovate you run.

32.7.1

Please select which platform you are using if self-hosting.

Bitbucket Cloud (bitbucket.org)

If you're self-hosting Renovate, tell us what version of the platform you run.

Bitbucket Cloud

Was this something which used to work for you, and then stopped?

It used to work, and then stopped

Describe the bug

Renovate seems to be updating Maven dependencies without respecting the compatibility:

<plugin>
   <groupId>org.apache.cxf</groupId>
   <artifactId>cxf-codegen-plugin</artifactId>
-                    <version>3.5.2</version>
+                    <version>3.5.2-jbossorg-1</version>
</plugin>

For some reason, it has decided that 3.5.2-jbossorg-1 is a valid version to upgrade from 3.5.2.

Similarly, it happened a couple days ago that it updated from a dependency on version 6.2.8 to the same one in version 6.2.9-feature-xyz one.

My understanding is that Renovate respects the semver format for Maven and doesn't update to SNAPSHOT or similar version from stable ones. Is this a bug or is this something that I have to configure explicitly?

This is my simple configuration:

{
  "extends": [
    "config:base",
    "docker:enableMajor",
    "docker:pinDigests"
    "default:automergeDigest",
    "default:automergePatch"
  ],
  "prHourlyLimit": "6",
  "reviewers": ["****"],
  "packageRules": [
    {
      "matchUpdateTypes": ["pin"],
      "automerge": true
    }
  ]
}

Relevant debug logs

No response

Have you created a minimal reproduction repository?

No reproduction repository

[rarkins]

In Maven versioning, neither -jbossorg-1 nor -feature-xyz are reserved suffixes or have any special meaning of unstable. Maven versioning and stable patterns are not always the same as semver versioning, so your understanding that Renovate "respects the semver format for Maven" is incorrect - Renovate defaults to Maven versioning. This means that although in SemVer -anything suffixes mean unstable, the same is not for Maven.

Here's a handy post on the topic: https://octopus.com/blog/maven-versioning-explained

The examples you describe fall into the -whatever category, which you can see are consider stable and higher than lack of suffix.

If you want Renovate to use semver versioning for Maven dependencies then you can configure it, but it is not possible to expect Renovate to default to semver versioning instead of maven versioning.

You can use packageRules plus "versioning": "semver" if you want to tell Renovate to use semver for particular packages.