dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago β€’ verified publisher icon dependabot

Support Gradle lockfiles

Open rahulsom opened this issue 5 years ago β€’ 9 comments

Since gradle 4.9, or 4.10, Gradle has been supporting dependency locking through lock files. It would be nice if the dependabot supported those lockfiles instead of updating the build.gradle.

rahulsom avatar Oct 30 '18 01:10 rahulsom

This is going to be a big one, but I'm definitely πŸ‘ on tackling it. The best docs I've seen on it are in https://docs.gradle.org/current/userguide/userguide.pdf.

Note, in order to achieve this Dependabot will either have to shift to cloning Gradle repos or get very good at writing sanitized build.gradle files. Either should be achievable, but this is a medium sized project.

Thanks for the feedback @rahulsom!

greysteil avatar Oct 31 '18 00:10 greysteil

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] avatar Oct 23 '19 05:10 stale[bot]

Poke

rahulsom avatar Oct 23 '19 13:10 rahulsom

@rahulsom just pinned it πŸ‘Œ

feelepxyz avatar Oct 23 '19 13:10 feelepxyz

Now that Gradle supports single-file locks, it should be probably simpler.

amq avatar Nov 20 '20 09:11 amq

…and single-file locks are becoming the default in Gradle 7.

(that's actually 3 lockfiles possibly: settings-gradle.lockfile, buildscript-gradle.lockfile, and gradle.lockfile)

tbroyer avatar Mar 23 '21 18:03 tbroyer

Is this still on the roadmap somewhere?

chenrui333 avatar Feb 11 '22 00:02 chenrui333

Can this please be prioritized?

peadarom avatar Mar 21 '22 18:03 peadarom

In case it's relevant, here's the equivalent issue for Renovate: renovatebot/renovate#5534.

usmonster avatar Jul 26 '22 09:07 usmonster

While nice to see some focus on gradle, the recently added libs.versions.toml in #3121 is akin to checking package.json instead of package-lock.json, or Cargo.toml instead of Cargo.lock. It's better than nothing, but checking the resolved versions actually used for build and runtime is the more correct solution for gradle. Comment to hopefully reduce the risk of this issue being closed now that some kind of support exists.

dsvensson avatar Mar 14 '23 14:03 dsvensson

@dsvensson I added #8205 partially because of that. It's worse because libs.toml creates the accessors; it's a library of "possible dependencies", which doesn't even mean they are actually ones.

with these issues existing, for me support for Gradle never works, at best, it's a notification, and the PR is meaningless.

To be honest I would really only expect Dependabot to care about what's in the lockfiles, what's in libs.toml is irrelevant, and may not even be what is finally resolved even if the dependency is used.

xenoterracide avatar Oct 16 '23 14:10 xenoterracide

Is there any news on this at all? We would really like to start using Gradle dependency locking, for one because we want to use the Trivy security scanner to scan our Gradle dependencies on vulnerabilities and Trivy requires Gradle lock files (when using Gradle).

There seem to be alternative solutions not using Dependabot such as: https://peterevans.dev/posts/how-to-automate-gradle-dependency-updates-with-github-actions/ and also Renovate supports Gradle lock files these days but we would much rather stick with Dependabot if possible..

edgarvonk avatar Jan 25 '24 08:01 edgarvonk