-
Notifications
You must be signed in to change notification settings - Fork 28
More version patters for Gradle #345
Comments
@szpak thanks for getting in touch! Dependabot's Gradle support is still in beta as the file parsing is pretty tricky and we currently don't have much Java knowledge. Looks like we should be evaluating the build file to support your use case, which is a pretty big piece of work so will take some time to get to. Have you considered removing your version variables and just inlining the versions? Dependabot should then keep these versions up to date individually. |
Thanks @feelepxyz. I'd like to take a quick look at the property value finder to see why it's messing up here, too, though. Will try to get to that this afternoon, and if it's easy I'll get it updated. (We're going to have a a bunch more resource working on Dependabot's Java support soon, btw, so expect lots of improvements!) |
OK, just digging into this. It looks like the problem we have here is with Dependabot's file-fetcher for Gradle, rather than the parsing. In particular, Dependabot doesn't have any knowledge of the @szpak - could you point me at some docs on how Dependabot should deal with |
Thanks @greysteil . Gradle allows to apply plugins and configuration from other files - both local (most of the cases) and remote. A laconic explanation from the official documentation. Btw, there is also an example for Kotlin files, however, Kotlin has been added quite recently as a language to configure Gradle and most of the projects still use Groovy (and |
Btw2, you might be also interested in the way how variables can be created (both local and those in the |
That's really useful, thanks @szpak. I've just shipped this commit which means dependabot will now update dependencies in a plugin file which has |
Thanks @greysteil and sorry for delay. I had problem reaching out the repository owner to add Dependabot. In the end I tested it using my fork. It seems to work in general. However, I have two remarks/suggestions:
|
@greysteil What do you think about my point from the previous comment? |
|
FYI, (1) is now fixed (it was a race). Thanks again for the heads up on that one! |
Ad. 1. 👍 Ad. 2. Ok, it should be a big problem. |
Dependabot will only look at our shared dependency version file if it has `dependencies` in its name: dependabot/feedback#345 [#166295186]
If this works, dependabot will create a PR to bump the Jackson version in `dependencies.gradle`. I'm trying to mimic the structure used by the mockito team: dependabot/feedback#345 [#166295186]
Hey @greysteil :) just wanted to point out that there's nothing in gradle that actually demands you put shared dependencies in a file called I point this out because my team uses a similar pattern. We found it difficult to figure out that in order to get dependabot to detect our shared versions, we had to rename the file we put them in. The only documentation of that seems to be this github issue. Eventually we figured it out in this commit and it started working, but it was quite confusing. It would nice to have this somewhere in the official documentation. |
Sorry about that @andrewedstrom. The team have their work cut out scaling Dependabot's automated security fixes to work on all GitHub repos, but I know coming back to Gradle and improving our support their is high on the priority list once that scaling is done. |
In Mockito we keep common dependencies in one place to share them across the (sub)modules. They doesn't seem to be fully supported. It would be useful to extend the property value finder to find unambitious patterns and we would try to adjust the rest to something more generic.
We've seen property_value_finder.rb, but those are regular expressions and in addition you know better how to adjust it properly :).
Sample cases:
and
Our file with dependency configuration. Please let us how you see it.
The text was updated successfully, but these errors were encountered: