Remove lockfiles, manage Gradle dependencies with Dependabot (#1535)

Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM
This commit is contained in:
Daniel Chao
2026-04-20 09:29:33 -07:00
committed by GitHub
parent 9046221e03
commit 07c68239b9
26 changed files with 40 additions and 1683 deletions
-7
View File
@@ -68,13 +68,6 @@ plugins { id("org.gradle.toolchains.foojay-resolver-convention") version ("1.0.0
@Suppress("UnstableApiUsage") dependencyResolutionManagement { repositories { mavenCentral() } }
if (
gradle.startParameter.taskNames.contains("updateDependencyLocks") ||
gradle.startParameter.taskNames.contains("uDL")
) {
gradle.startParameter.isWriteDependencyLocks = true
}
for (prj in rootProject.children) {
prj.buildFileName = "${prj.name}.gradle.kts"
}