Comments (33)
Totally 👍 on adding this. I'm going to be off the grid for the next two weeks, but please don't take that as a lack of enthusiasm!
from dependabot-core.
As mentioned earlier by @MiniDigger there are many ways to declare your dependencies in a gradle file. If only a file scan is done on a project it would be nice to take ExtraPropertiesExtensions into account. These are mainly used to manage dependency versions across different modules.
It would for example look like:
Some other gradle file, e.g.: dependencies.gradle
ext {
myLibraryVersion = '1.0.0'
}
Module 1 build.gradle
implementation "com.example.dependency:$myLibraryVersion"
Module 2 build.gradle
implementation "com.example.dependency:$myLibraryVersion"
Another thing to be aware of is that from Gradle version 3 compile
is changed to implementation
and api
and a bunch of other configurations were added. But I can imagine this will be ignored when checking the dependency versions.
from dependabot-core.
Not yet, sorry! I'm going to be pushing on Rust and adding private repo support to Maven today, but will have a look at this immediately after. Would love to support Gradle projects, and will start a template PR in the next couple of days.
from dependabot-core.
I have no idea how the parsing works in the Backend, but looking at all the edge cases, maybe it's easier to just clone the repo and run gradle together with a special task to check dependencies?
This plugin creates a json file with all versions of all dependencies and checks if there are newer versions available https://github.com/ben-manes/gradle-versions-plugin
Just something to consider, as this would automatically support all possible ways to define dependencies as it hooks in Gradles API.
from dependabot-core.
Initial PRs created by Dependabot: https://github.com/greysteil/dependencies/pulls.
Still a long way to go on this, but it kinda works already!
from dependabot-core.
Hey team, I've just released this! If you do a hard refresh on your Dependabot dashboards you should be able to add Gradle projects (by selecting Java - Gradle
as the language).
A few known deficiencies:
- It can't handle Kotlin files yet
- It can't do multi-module support yet. It will only operate on the
build.gradle
file in the repo you specify - It can't handle custom repositories yet (it will look for everything in the central repository
- It doesn't do any resolution, just tries to update you to the latest (non-prerelease) version
As a result of the above I've put an alpha
badge on current support. I'm planning to handle 2. and 3. in the next few days. In the meantime, the more projects you (and others) try it on the quicker I'll be able to iron out the bugs.
Thanks for all your help on this one! 🎉
from dependabot-core.
@matfax - not yet. Our Gradle support is hugely more robust than it was a month ago, though, and is now in beta.
I'll try to take a look at Kotlin support in the next few days. We ended up switching to regexes to parse Gradle build files (ugly, but easier to understand than attempting to parse Gradle from Ruby). If the Kotlin work can be done with the same approach it should be relatively straightforward.
from dependabot-core.
💯 🌈 🌟
from dependabot-core.
@greysteil You can temponarly scan repo for *.gradle
files and index them.
from dependabot-core.
Yep! Really keen to, but it's going to be quite a big project for us and I don't know exactly when. It's on my list for before we can take Gradle out of beta, though.
from dependabot-core.
@greysteil Any news?
from dependabot-core.
Thanks, i'm waiting!
from dependabot-core.
@MiniDigger, OK, I'm going to get started on this this week. Any pointers on docs / a (simple) example repo that I can use as a fixture?
from dependabot-core.
I guess you could use this project, it has a bunch of dependencies
https://github.com/VoxelGamesLib/dependencies/blob/master/build.gradle
Not sure what docs could help you, this one gives a good overview
https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.DependencyHandler.html
Gradle is a bit more flexible than maven, so there are countless ways to declare dependencies. For the start I would think supporting the map style ( group: 'com.google.code.guice', name: 'guice', version: '1.0') and the short ( 'commons-lang:commons-lang:2.6') notation with both single and double quotation marks in a dependencies block would be enough. Supporting multiple modules should be easy, all that's nessasary is scanning the repo for more build.gradle files (they can be anywhere, but I guess 2 level deep should be enough for most setups)
from dependabot-core.
Here is another good example as this highlights that a dependencies block doesn't need to be in the root of the file but can be nested in a buildscript or subprojects or a project('a') block.
https://github.com/MiniDigger/CryptoClicker/blob/master/build.gradle
from dependabot-core.
Here are two examples for a gradle file used in an Android project: https://github.com/Samourai-Wallet/samourai-wallet-android/blob/develop/app/build.gradle
And: https://github.com/duckduckgo/Android/blob/develop/app/build.gradle
from dependabot-core.
👍 - I've started the work over at #464.
from dependabot-core.
@greysteil Looks good so far, but I have some suggestions/bugs:
- Can you have a look at openhab/openhab-android#886 ?
When I try the update locally I get the following error:
Could not find com.google.firebase:firebase-core:15.0.1.
Searched in the following locations:
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/google/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/google/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/android/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
file:/C:/Users/user/AppData/Local/Android/Sdk/extras/android/m2repository/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://jcenter.bintray.com/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://repo.maven.apache.org/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://repo.maven.apache.org/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://jitpack.io/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://jitpack.io/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.pom
https://dl.google.com/dl/android/maven2/com/google/firebase/firebase-core/15.0.1/firebase-core-15.0.1.jar
Required by:
project :mobile
Google is deprecating its GCM in favor of FCM (Firebase cloud messaging). The PR is about updating the Google Maps package, but it seems to be related to this deprecation.
-
When using https://github.com/signalapp/gradle-witness for verification of dependencies, @dependabot-bot should update the corresponding hash sum. However gradle-witness doesn't support
implementation
for now. -
The android support library packages should be updated in one PR, not split in multiple PRs.
implementation "com.android.support:appcompat-v7:27.1.1"
implementation "com.android.support:support-v4:27.1.1"
implementation "com.android.support:recyclerview-v7:27.1.1"
implementation "com.android.support:design:27.1.1"
implementation 'com.android.support:multidex:1.0.3'
implementation 'com.android.support.constraint:constraint-layout:1.0.2'
- Here is an example by Google how to use variables to have the same version of libs in the whole project.
https://github.com/googlecodelabs/android-testing/blob/master/build.gradle#L21
https://github.com/googlecodelabs/android-testing/blob/master/app/build.gradle#L54
Android projects always have these two files and they can have more, if they contain more modules.
from dependabot-core.
Thanks for the feedback @mueller-ma! Gradle support is super alpha at the moment, but I should have some time over the next couple of weeks to start improving it. I'll definitely be referring to the above when I do!
from dependabot-core.
@greysteil Can you have a look at openhab/openhab-android#958?
The build fails, because the bumped dependency cannot be found on a remote server:
A problem occurred configuring project ':mobile'.
> Could not resolve all artifacts for configuration ':mobile:classpath'.
> Could not find com.google.gms:google-services:4.0.2.
Searched in the following locations:
https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
Required by:
project :mobile
How does @dependabot-bot know that there is a new version?
from dependabot-core.
Probably you should add google()
repository to your buildscript repositories block:
buildscript {
repositories {
google() <-------------HERE
maven {
url 'https://maven.fabric.io/public'
}
mavenCentral()
}
dependencies {
classpath 'com.google.gms:google-services:4.0.2'
classpath 'io.fabric.tools:gradle:1.24.4'
classpath files('libs/gradle-witness.jar')
}
}
from dependabot-core.
@audkar Thanks for the tip, but it didn't help:
A problem occurred configuring project ':mobile'.
> Could not resolve all artifacts for configuration ':mobile:classpath'.
> Could not find com.google.gms:google-services:4.0.2.
Searched in the following locations:
https://dl.google.com/dl/android/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
https://dl.google.com/dl/android/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
https://maven.fabric.io/public/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.pom
https://repo.maven.apache.org/maven2/com/google/gms/google-services/4.0.2/google-services-4.0.2.jar
Required by:
project :mobile
from dependabot-core.
Let me take a look into this one - I'll get back to you.
from dependabot-core.
@greysteil When bumping an annotation processor, two lines need to be changed: https://github.com/openhab/openhab-android/pull/964/files#diff-267b4136e002edb2e31e096623801166L129 and the line below.
from dependabot-core.
@greysteil @dependabot-bot must not treat checksums inside the block dependencyVerification {}
as version numbers and must not bump them. dependencyVerification {}
is created by https://github.com/signalapp/gradle-witness.
openhab/openhab-android#1003
from dependabot-core.
That looks like a pretty easy fix - I'll get it done now!
from dependabot-core.
Thanks. Any update on this?
from dependabot-core.
Gotta confess I accidentally let that one drop. I'm doing a push on Gradle today and tomorrow, though, and will try to get that fixed, too.
from dependabot-core.
@mueller-ma - OK, the SHA issue is fixed in this commit and the version issue is fixed here. Thanks for pointing both out!
Deploying now - I'll re-run Dependabot on your repos once done and it should close any invalid PRs.
from dependabot-core.
Is anyone working on Kotlin DSL yet?
from dependabot-core.
@greysteil Are you planning on supporting dependency locking?
https://docs.gradle.org/current/userguide/dependency_locking.html
from dependabot-core.
Hi, does the latest version support #245 (comment) ?
from dependabot-core.
Yes - should do. I'm going to close this issue now and we can deal with individual Gradle requests separately. 🎉
from dependabot-core.
Related Issues (20)
- Multi Directory Not Working for Helm Charts HOT 3
- dependabot-action for github enterprise is not using the latest docker image for dependabot-updater-gomod
- b0ff2adb8289ccb2514663136d8aade517b836ea
- ...`@dependabot recreate` is a bit of a misnomer. It should really be called `@dependabot force-rebase`. The only difference between `recreate` and `rebase` is that `rebase` fails if there are any additional commits in the branch, while `recreate` skips that check.
- [,.NET] System.IO.InvalidDataException when using MSBuild property functions
- Dependabot not pulling submodules before maven pom.xml since February 1
- Comment was adjusted instead of version in `cargo.toml`
- Dependabot updating packages from GitHub Packages has high data transfer out usage HOT 2
- Dependabot Gradle version update fails with "dependency_file_not_found" for files in git submodule HOT 1
- Dependabot sees updates but does not create PRs HOT 8
- [pub] Unexpected requirements_update_strategy bump_versions HOT 1
- Dependabot does not consider ignore rule
- Measure test coverage HOT 8
- not able to parse pyproject.toml if contain property" package-mode=false" HOT 2
- Dependabot security alerts for Rust recommend updating a dependency that is only indirect, which is not the right fix
- Timeout HOT 13
- Dependabot::Sorbet::Runtime::InformationalError: Parameter 'requirements': Expected type T::Array[T::Hash[T.any(String, Symbol), T.untyped]], got ...
- Dependabot::Sorbet::Runtime::InformationalError: Return value: Expected type String, got type NilClass
- Dependabot::Sorbet::Runtime::InformationalError: Parameter 'source_url': Expected type String, got type NilClass
- NuGet update checker can return `nil` for `latest_version`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.