search

gradlex-org / java-module-dependencies

A Gradle plugin to use dependencies from 'module-info.java' files.
Apache License 2.0
48 stars 9 forks source link

Solution to use this plugin in combination with Dependabot #105

Closed jjohannes closed 5 months ago

jjohannes commented 6 months ago

Dependabot does not know how to deal with a build.gradle.kts file like this:

moduleInfo {
    version("com.fasterxml.jackson.core", "2.16.0")
    version("com.fasterxml.jackson.databind", "2.16.0")
    version("org.apache.commons.collections4", "4.4")
    version("org.apache.commons.math3", "1.15")
}

Instead, it would expect something this:

dependencies.constraints {
    api("com.fasterxml.jackson.core:jackson-core:2.16.0")
    api("com.fasterxml.jackson.core:jackson-databind:2.16.0")
    api("org.apache.commons:commons-collections4:4.4")
    api("org.apache.commons:commons-math3:3.6.1")
}

There is no way to teach Dependabot the custom notation (for this, it would need to be more customizable, https://github.com/dependabot/dependabot-core/issues/1164). Maybe we can support some "mixed" notation that only uses Gradle standard notation that the plugin then checks for correctness:

dependencies.constraints {
    api("com.fasterxml.jackson.core:jackson-core:2.16.0") {
        because("com.fasterxml.jackson.core")
    }
    api("com.fasterxml.jackson.core:jackson-databind:2.16.0") {
        because("com.fasterxml.jackson.databind")
    }
    api("org.apache.commons:commons-collections4:4.4") {
        because("org.apache.commons.collections4")
    }
    api("org.apache.commons:commons-math3:3.6.1") {
        because("org.apache.commons.math3")
    }
}
jjohannes commented 5 months ago

Solution because+warning implemented in 867b154