From 949150fe8b9e011c16fee4c440f1818c7ceb7c3e Mon Sep 17 00:00:00 2001 From: Yeikel Santana Date: Sat, 15 Nov 2025 20:40:10 -0500 Subject: [PATCH 1/2] Explain the dependency name for the Gradle Wrapper --- data/reusables/dependabot/supported-package-managers.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index e25729f1e7be..69461ff52b85 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -110,6 +110,8 @@ For more information about using {% data variables.product.prodname_dependabot_v For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). +When updating the Gradle Wrapper, {% data variables.product.prodname_dependabot %} will label the dependency as `gradle-wrapper` in pull requests. + > [!NOTE] > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert. > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file. From c32a58160a0f61a55fd6184478c0e9c9b0fb65b2 Mon Sep 17 00:00:00 2001 From: Yeikel Santana Date: Sat, 15 Nov 2025 20:53:49 -0500 Subject: [PATCH 2/2] Reword --- data/reusables/dependabot/supported-package-managers.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 69461ff52b85..8006f8db44d9 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -110,11 +110,10 @@ For more information about using {% data variables.product.prodname_dependabot_v For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). -When updating the Gradle Wrapper, {% data variables.product.prodname_dependabot %} will label the dependency as `gradle-wrapper` in pull requests. - > [!NOTE] > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert. > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file. +> * When updating the Gradle Wrapper, {% data variables.product.prodname_dependabot %} uses `gradle-wrapper` for the dependency name. #### Helm Charts