Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support sbt projects #352

Open
albuch opened this issue Apr 18, 2018 · 14 comments
Open

Support sbt projects #352

albuch opened this issue Apr 18, 2018 · 14 comments

Comments

@albuch
Copy link

@albuch albuch commented Apr 18, 2018

Hey,
it would be awesome to support sbt dependencies and plugin dependencies as well.

https://www.scala-sbt.org/1.x/docs/Library-Dependencies.html
https://www.scala-sbt.org/1.x/docs/Using-Plugins.html

Multi-projects are supported in sbt as well and is a common use case so that should be considered as well: https://www.scala-sbt.org/1.x/docs/Multi-Project.html

@albuch albuch changed the title Support sbt Support sbt projects Apr 18, 2018
@greysteil
Copy link
Member

@greysteil greysteil commented Apr 18, 2018

Totally up for this. I've got some work to do getting Maven support out of beta first, but once that's done sbt support would be a great addition.

@tyrcho
Copy link

@tyrcho tyrcho commented Sep 15, 2018

My company is working with scala, once support for Gitlab and sbt is there I'd be happy to become a paying customer of dependabot.

@greysteil
Copy link
Member

@greysteil greysteil commented Sep 15, 2018

Thanks @tyrcho. I'm still really keen on adding both - will keep you posted.

@tyrcho
Copy link

@tyrcho tyrcho commented Oct 17, 2018

I ran into this sbt plugin which should help a lot !
https://github.com/rtimush/sbt-updates

You can append addSbtPlugin("com.timushev.sbt" % "sbt-updates" % "0.3.4") to the end of project/plugins.sbt (creating it if not present) and then run sbt dependencyUpdates and parse the output in stdout. It looks like that:

[info] Found 10 dependency updates for notification-impl
[info]   com.datadoghq:dd-java-agent:dd-java-agent            : 0.10.0           -> 0.16.0
[info]   com.lightbend.lagom:lagom-logback                    : 1.4.6  -> 1.4.8           
[info]   com.lightbend.lagom:lagom-reloadable-server:dev-mode : 1.4.6  -> 1.4.8           
[info]   com.lightbend.lagom:lagom-scaladsl-dev-mode          : 1.4.6  -> 1.4.8           
[info]   com.lightbend.lagom:lagom-scaladsl-server            : 1.4.6  -> 1.4.8          

Note that in multi-project build you will have duplicated lines.

Even partial support for sbt in dependabot would be great (ie creating the PR to notify the library has been updated). It will probably be impossible to cover all ways in which versions are defined in sbt since you can code in your build files.

@mark-dhl
Copy link

@mark-dhl mark-dhl commented Nov 3, 2018

A project by @fthomas already does this. Hope you could maybe setup some sort of collaboration !

https://github.com/fthomas/scala-steward

@ghost
Copy link

@ghost ghost commented Sep 23, 2019

We are already using dependabot for python and ruby, but the biggest part of our codebase is scala.
Are there any updates on scala/sbt-support?

@greysteil
Copy link
Member

@greysteil greysteil commented Sep 23, 2019

Not yet. We'd still love to add sbt support, but we're a small team and are currently focussed on scaling Dependabot so it can create automated security fixes for all GitHub repos.

@ewolfe
Copy link

@ewolfe ewolfe commented Jan 15, 2020

I was linked here from https://dependabot.com/java/ - I would like to help beta test Java Maven support

@Grundlefleck
Copy link

@Grundlefleck Grundlefleck commented Feb 27, 2020

The PR I raised as a starting point for sbt support (#1589) was closed without comment due to staleness. Not sure whether to interpret as a bad PR that I can improve, or lack of team capacity, or something else. I'm still willing to continue on the functionality, but would prefer to see some indication of whether I'm likely to see it ever getting merged before spending more time on it.

@hmarr
Copy link
Member

@hmarr hmarr commented Mar 2, 2020

@Grundlefleck sorry about that - I've reopened the pull request and added the "enhancement" label, which should prevent stalebot rudely closing it again.

Right now the Dependabot team is working pretty flat out on some scaling challenges and bringing more of Dependabot's features to GitHub natively, which means we've (regrettably) been neglecting dependabot-core a bit. I can't promise a timeline, but I'm hopeful we'll be able to spend more time on dependabot-core soon. When we can give it some proper attention, your SBT pull request will be top of the list.

@albuch
Copy link
Author

@albuch albuch commented Mar 3, 2020

There is another alternative that supports scala/sbt (among many others) in a rudimentary version: https://github.com/apps/renovate
See https://docs.renovatebot.com/modules/manager/sbt/ for docs.

@ihostage
Copy link

@ihostage ihostage commented Mar 3, 2020

@albuch Renovate has a constraint for sbt projects. 😞
As @mark-dhl said, Scala Steward is a really best choice for Scala/Sbt.

@coding-bunny
Copy link

@coding-bunny coding-bunny commented Oct 15, 2020

Anything I can do to make our Scala project rely on dependabot?
We have a multi-tier project that combines 4 projects into a one repo with multiple SBT build files.

@youholemy
Copy link

@youholemy youholemy commented Jan 26, 2021

Uploading 5-720p.jpg…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
13 participants