starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-05-25 16:19:20 +02:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity

Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)

Browse Source 
Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM
This commit is contained in:
Daniel Chao
2026-04-20 09:29:33 -07:00
committed by GitHub
parent 9046221e03
commit 07c68239b9
26 changed files with 40 additions and 1683 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkl-bom/gradle.lockfile
-4
View File
@@ -1,4 +0,0 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
empty=classpath