Skip to content

Updated dependabot's docs to add Gradle Wrapper #39954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gmazzo wants to merge 5 commits into
base: main
Choose a base branch
from
+8 −0
Open

Updated dependabot's docs to add Gradle Wrapper #39954

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
aee5abe
Updated `dependabot`'s docs to add `Gradle Wrapper`
gmazzo Aug 20, 2025
9bd0c80
Update Gradle wrapper description in documentation
kbukum1 Jan 16, 2026
9675fd8
Explain the dependency name for the Gradle Wrapper (#1)
yeikel Jan 28, 2026
c68dbb5
Document that Gradle runs when updating the Gradle Wrapper (#2)
yeikel Jan 28, 2026
43470eb
Merge branch 'github:main' into dependabot-gradle-wrapper-support
gmazzo Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions data/reusables/dependabot/supported-package-managers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,18 +122,26 @@ For more information about using {% data variables.product.prodname_dependabot_v

{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files:
* `build.gradle`, `build.gradle.kts` (for Kotlin projects)
* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper)
* `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog)
* `gradle.lockfile` (for projects using Gradle dependency locking)
* `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper)
* Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).

{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper:
* `gradle/wrapper/gradle-wrapper.properties`
* `gradlew`
* `gradlew.bat`
* `gradle/wrapper/gradle-wrapper.jar`

Copy link
Contributor

@kbukum1 kbukum1 Feb 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can change it something like the following

{% data variables.product.prodname_dependabot %} supports updates to the following files without needing to run Gradle:

- `build.gradle`, `build.gradle.kts` (for Kotlin projects)
- `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog)
- `gradle.lockfile` (for projects using Gradle dependency locking)
- Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).

{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper:

- `gradle/wrapper/gradle-wrapper.properties`
- `gradlew`
- `gradlew.bat`
- `gradle/wrapper/gradle-wrapper.jar`

Copy link
Author

@gmazzo gmazzo Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to craft any wording that fits better here.

Copy link
Contributor

@kbukum1 kbukum1 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gmazzo
Thanks. It will be great if you guys can review it since docs are important from user perspective.

CC: @yeikel

Copy link
Contributor

@kbukum1 kbukum1 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just added suggestion here. Let me know what do you think.

Comment on lines 123 to +136
Copy link
Contributor

@kbukum1 kbukum1 Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files:
* `build.gradle`, `build.gradle.kts` (for Kotlin projects)
* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper)
* `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog)
* `gradle.lockfile` (for projects using Gradle dependency locking)
* `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper)
* Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).
{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper:
* `gradle/wrapper/gradle-wrapper.properties`
* `gradlew`
* `gradlew.bat`
* `gradle/wrapper/gradle-wrapper.jar`
{% data variables.product.prodname_dependabot %} supports updates to the following files without needing to run Gradle:
* `build.gradle`, `build.gradle.kts` (for Kotlin projects)
* `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog)
* `gradle.lockfile` (for projects using Gradle dependency locking)
* Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).
{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper:
* `gradle/wrapper/gradle-wrapper.properties`
* `gradlew`
* `gradlew.bat`
* `gradle/wrapper/gradle-wrapper.jar`

Copy link
Contributor

@yeikel yeikel Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks for the suggestions

{% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot).

For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api).

> [!NOTE]
> * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert.
> * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file.
> * When updating the Gradle Wrapper, {% data variables.product.prodname_dependabot %} uses `gradle-wrapper` for the dependency name.

### Helm Charts

Expand Down
Loading