More flexible reports for dependencies coming from BOMs

[steve-todorov]

Feature request

We'd like to suggest adding a flag that would stop showing dependencies in reports for dependencies that are pulled in via a BOM. The flag would probably need to have three modes:

1. default - print the report as-is.
2. silent - don't show any dependency update reports that have been pulled in from a BOM.
3. warn - print a one-liner saying `hey

The different modes would make the reports act slightly differently:

1. default mode the end report would be as it is now:

   The following dependencies have later release versions:
    - com.google.code.gson:gson [2.10.1 -> 2.11.0]
   

2. silent mode would remove the dependency from the report.
3. warn could output something like this:

   The following dependencies defined in BOM(s) ["com.google.cloud:libraries-bom:26.40.0", "xyz:version"]  have later release versions:
    - com.google.code.gson:gson [2.10.1 -> 2.11.0]
   

A bit more context

We have multiple projects that enforce bom dependencies. Here's an example:

implementation(enforcedPlatform("com.google.cloud:libraries-bom:26.40.0"))

When we run ./gradlew dependencyUpdates the report will say there's a newer com.google.code.gson:gson version:

The following dependencies have later release versions:
 - com.google.code.gson:gson [2.10.1 -> 2.11.0]

On its own the report is absolutely correct, but kind of lacks some flexibility and additional context. Someone could easily be confused and decide to define implementation("com.google.code.gson:gson:2.11.0") which won't work, because the version 2.10.1 is enforced via the enforcedPlatform.

Our case would fall under the silent mode if there were a flag.