Open rahulsom opened 5 years ago
This is going to be a big one, but I'm definitely π on tackling it. The best docs I've seen on it are in https://docs.gradle.org/current/userguide/userguide.pdf.
Note, in order to achieve this Dependabot will either have to shift to cloning Gradle repos or get very good at writing sanitized build.gradle
files. Either should be achievable, but this is a medium sized project.
Thanks for the feedback @rahulsom!
@rahulsom just pinned it π
Now that Gradle supports single-file locks, it should be probably simpler.
β¦and single-file locks are becoming the default in Gradle 7.
(that's actually 3 lockfiles possibly: settings-gradle.lockfile, buildscript-gradle.lockfile, and gradle.lockfile)
Is this still on the roadmap somewhere?
Can this please be prioritized?
In case it's relevant, here's the equivalent issue for Renovate: renovatebot/renovate#5534.
While nice to see some focus on gradle, the recently added libs.versions.toml in #3121 is akin to checking package.json instead of package-lock.json, or Cargo.toml instead of Cargo.lock. It's better than nothing, but checking the resolved versions actually used for build and runtime is the more correct solution for gradle. Comment to hopefully reduce the risk of this issue being closed now that some kind of support exists.
@dsvensson I added #8205 partially because of that. It's worse because libs.toml
creates the accessors; it's a library of "possible dependencies", which doesn't even mean they are actually ones.
with these issues existing, for me support for Gradle never works, at best, it's a notification, and the PR is meaningless.
To be honest I would really only expect Dependabot to care about what's in the lockfiles, what's in libs.toml
is irrelevant, and may not even be what is finally resolved even if the dependency is used.
Is there any news on this at all? We would really like to start using Gradle dependency locking, for one because we want to use the Trivy security scanner to scan our Gradle dependencies on vulnerabilities and Trivy requires Gradle lock files (when using Gradle).
There seem to be alternative solutions not using Dependabot such as: https://peterevans.dev/posts/how-to-automate-gradle-dependency-updates-with-github-actions/ and also Renovate supports Gradle lock files these days but we would much rather stick with Dependabot if possible..
Since gradle 4.9, or 4.10, Gradle has been supporting dependency locking through lock files. It would be nice if the dependabot supported those lockfiles instead of updating the build.gradle.