Open rahulsom opened 5 years ago
greysteil
commented
5 years ago This is going to be a big one, but I'm definitely π on tackling it. The best docs I've seen on it are in https://docs.gradle.org/current/userguide/userguide.pdf.
Note, in order to achieve this Dependabot will either have to shift to cloning Gradle repos or get very good at writing sanitized build.gradle files. Either should be achievable, but this is a medium sized project.
Thanks for the feedback @rahulsom!
feelepxyz
commented
4 years ago @rahulsom just pinned it π
amq
commented
3 years ago Now that Gradle supports single-file locks, it should be probably simpler.
tbroyer
commented
3 years ago β¦and single-file locks are becoming the default in Gradle 7.
(that's actually 3 lockfiles possibly: settings-gradle.lockfile, buildscript-gradle.lockfile, and gradle.lockfile)
chenrui333
commented
2 years ago Is this still on the roadmap somewhere?
peadarom
commented
2 years ago Can this please be prioritized?
usmonster
commented
1 year ago In case it's relevant, here's the equivalent issue for Renovate: renovatebot/renovate#5534.
dsvensson
commented
1 year ago While nice to see some focus on gradle, the recently added libs.versions.toml in #3121 is akin to checking package.json instead of package-lock.json, or Cargo.toml instead of Cargo.lock. It's better than nothing, but checking the resolved versions actually used for build and runtime is the more correct solution for gradle. Comment to hopefully reduce the risk of this issue being closed now that some kind of support exists.
xenoterracide
commented
8 months ago @dsvensson I added #8205 partially because of that. It's worse because libs.toml creates the accessors; it's a library of "possible dependencies", which doesn't even mean they are actually ones.
with these issues existing, for me support for Gradle never works, at best, it's a notification, and the PR is meaningless.
To be honest I would really only expect Dependabot to care about what's in the lockfiles, what's in libs.toml is irrelevant, and may not even be what is finally resolved even if the dependency is used.
edgarvonk
commented
5 months ago Is there any news on this at all? We would really like to start using Gradle dependency locking, for one because we want to use the Trivy security scanner to scan our Gradle dependencies on vulnerabilities and Trivy requires Gradle lock files (when using Gradle).
There seem to be alternative solutions not using Dependabot such as: https://peterevans.dev/posts/how-to-automate-gradle-dependency-updates-with-github-actions/ and also Renovate supports Gradle lock files these days but we would much rather stick with Dependabot if possible..
Since gradle 4.9, or 4.10, Gradle has been supporting dependency locking through lock files. It would be nice if the dependabot supported those lockfiles instead of updating the build.gradle.