I'm not quite sure how to classify this, but I discovered something interesting when using GitHub dependabot to keep dependencies up to date. This specific instance came to light when I noticed that Quarkus 2.13.5.SP1-redhat-00002 was released, superceding 2.13.5.Final-redhat-00002.

What I noticed was that dependabot did not notice that there was an update.

I filed an issue with dependabot directly (https://github.com/dependabot/dependabot-core/issues/6637 ) - please take a read through all the details there.

As it turns out, Maven does not see a version string like x.y.x.SP1-redhat-xxxx as "newer" than x.y.z.Final-redhat-xxxx (see https://maven.apache.org/pom.html#Version_Order_Specification ).

This is something that needs to be thought out, as currently anyone using GitHub dependabot to keep their versions up-to-date, is not being kept up-to-date like they think they are. 

Additionally, if there are any other Red Hat products that use this kind of versioning scheme with Maven, they are broken too.