{"id":20148246,"url":"https://github.com/chainguard-dev/pombump","last_synced_at":"2025-12-15T17:42:36.768Z","repository":{"id":218118290,"uuid":"745625895","full_name":"chainguard-dev/pombump","owner":"chainguard-dev","description":"Playing around with a tool for updating POM dependencies","archived":false,"fork":false,"pushed_at":"2025-03-17T03:47:47.000Z","size":131,"stargazers_count":1,"open_issues_count":12,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-22T00:05:26.072Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-19T18:34:25.000Z","updated_at":"2025-01-06T08:16:43.000Z","dependencies_parsed_at":"2024-01-19T21:11:19.982Z","dependency_job_id":"4090844c-ff35-4356-8379-20e093a15753","html_url":"https://github.com/chainguard-dev/pombump","commit_stats":null,"previous_names":["vaikas/pombump","chainguard-dev/pombump"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpombump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpombump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpombump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fpombump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/pombump/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103899,"owners_count":21048244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:36:03.150Z","updated_at":"2025-12-15T17:42:36.705Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pombump\n\nProgrammatically manipulate maven (pom.xml) dependencies.\n\n# Overview\n\nFor easier patchability, add ways to selectively bump versions for dependencies.\n\nThe idea is just like [gobump](https://github.com/chainguard-dev/gobump) but for\njava.\n\n# Usage\n\nThe idea is that there are some `patches` that should be applied to the upstream\npom.xml file. You can specify these via `--dependencies` flag, or via\n`--patch-file`. You can also update / add Properties using the `--properties`\nflag, or via `--properties-file`.\n\n## Specifying Dependencies to be patched\n\nYou can specify the patches that should be applied two ways. They are mutually\nexclusive, so you can only specify one of them at the time.\n\n### --dependencies flag\n\nYou can specify patches via `--dependencies` flag by encoding them\n(similarly to gobump) in the following format:\n\n```shell\n--dependencies=\"\u003cgroupID@artifactID@version[@scope[@type]]\u003e \u003cgroupID...\u003e\"\n```\n\nSo the `groupID`, `artifactID`, and `version` are required fields, and the\n`scope`, and `type` are optional fields. If omitted, `scope` defaults to\n`import`, and `type` defaults to `jar`.\n\n### --patch-file flag\n\nYou can specify a yaml file that contains the patches, which is the preferred\nway, because it's less errorprone, and allows for inline comments to keep track\nof which patches are for which CVEs. `scope`, and `type` are optional here as\nwell. If omitted, `scope` defaults to `import`, and `type` defaults to `jar`.\n\nAn example yaml file looks like this:\n```yaml\npatches:\n  # CVE-2023-34062\n  - groupID: io.projectreactor.netty\n    artifactID: reactor-netty-http\n    version: 1.0.39\n    scope: import\n    type: pom\n  # CVE-2023-5072\n  - groupId: org.json\n    artifactId: json\n    version: \"20231013\"\n  # CVE-2023-6378\n  - groupId: ch.qos.logback\n    artifactId: logback-core\n    version: \"[1.4.12,2.0.0)\"\n```\n\n## Specifying Properties to be patched\n\nYou can specify the properties that should be modified two ways. They are\nmutually exclusive, so you can only specify one of them at the time.\n\n### --properties flag\n\nYou can specify the properties via `--properties` flag by encoding them in the\n(similarly to gobump) in the following format:\n\n```shell\n--properties=\"property@value property@value\"\n```\n### --properties-file flag\n\nYou can specify a yaml file that contains the properties that should be\nmodified. This again is the preferred way for all the same reasons the\n`--patch-file` is the preferred way.\n\nAn example file looks like so:\n```yaml\nproperties:\n  - property: \"prop1\"\n    value: \"value1\"\n  - property: \"prop2\"\n    value: \"value2\"\n```\n# Theory of operation\n\n## Patches\n\nOnce you have specified the patches, the tool will go through the pom.xml file\nand then for each `patch` the following happens:\n\n* If the patch is found in the `dependencies` section, it will be patched\ninline.\n* If the patch is found in the `dependencyManagement.dependencies` section, it\nwill be patched inline.\n* Otherwise, it will be appended to the `dependencyManagement.dependencies`\nsection.\n\n## Properties\n\nThey are either patched inline (if found), or added to the `properties` section.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fpombump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fpombump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fpombump/lists"}