How to check for plugin dependencies

Hello,

I lately had a bad fight with plugin dependencies.

Trying to update “Matrix Authorization Strategy” to 3.0;
In the end I had locked myself out of Jenkins and needed to “sneak me back in” by killing Jenkins hand-editing me back in and downdating plugins.
See [JENKINS-67387] "No type prefix: " in "Assign roles:" after updating "Matrix Authorization Strategy" to 3.0 - Jenkins Jira and Matrix Authorization Strategy 3.0: "No type prefix:...." - #5 by martinjost for the ugly details.

Updated a plugin, which as dependency updated another plugin, where we had a local modification in
use => Local modifications gone.

So currently I have four plugins, which I’m not “allowed” to update, for one or the other reason.
How do you handle such situations, concerning plugin dependencies ?

I’m currently only aware of the hack to use
<Jenkins-install-dir>/home/plugins> find . -name pom.xml -exec grep -iH '<plugin-name>' {} \;
to search for dependencies in the pom.xml.

I remember that Jenkins “back then” listed the plugins a pending plugin update was depending upon in the plugin manager - but I don’t see this nay more.
Did I accidentally configure this away ? Do I need to enable it somehow ?

Is there a way, I can tell Jenkins: Please DON’T update these plugins currently, neither by me directly requesting it by accident nor indirectly, due to dependencies ?

Regards

Martin

I searched the offered plugins, Jenkins.io and web search for it, but I could only find some few info, none solving my problem:
https://plugins.jenkins.io/dependencyanalyzer/#documentation
Last update seven years ago; seems to aim at the job dependencies
https://plugins.jenkins.io/dependency-check-jenkins-plugin/
Seems to be aimed at vulnerabilities
https://plugins.jenkins.io/depgraph-view/
Dependency on projects in CI

docu:

Need to test - but still external to the plugin manager

I’m not aware of a way to do that from the user interface. I like the idea of “freezing” a plugin at a specific version temporarily, but I don’t know the impact of such a concept on the plugin update process.

I’ve been managing my plugin updates through a Docker image with a plugins.txt file that lists the exact plugins and versions of every plugin that I have installed. The plugin installation manager tool is called to suggest updates to that file. I process those updates one plugin at a time. That Docker image allows me to run a test instance separately for experiments. Even if the Jenkins instance is managed interactively, a Docker image might help track the plugin versions you want to use.

If you’re interested in the technique, you can see it in the lts-with-plugins branch of my docker-lfs repo. I use a command like:

$ docker_build.py --report # Show the command I need to enter
$ ./jenkins-plugin-cli.sh --jenkins-version 2.319.1 \
    --plugin-download-directory ref/plugins \
    --plugin-file plugins.txt \
    --no-download \
    --available-updates --output txt > x && mv x plugins.txt
$ ./jenkins-plugin-cli.sh --jenkins-version 2.319.1 \
    --plugin-download-directory ref/plugins \
    --plugin-file plugins.txt

After running that command, I use git commit -v -p to commit each plugin update to the repository as an individual commit.

The Enable/Disable checkbox in the plugin manager UI, “Installed” tab will be disabled (“greyed out”) when there are dependent plugins. Hovering will tell you details.

Even if the checkbox is enabled, there may be implicit dependencies.

Additionally, there are generated pages on plugins.jenkins.io like https://plugins.jenkins.io/matrix-auth/#dependencies which tells you about explicitly and implicitly dependent plugins for any given plugin, among those that the Jenkins project publishes. This only considers the plugins’ latest releases, and dependencies can be removed again though, so the live information is best.