New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate the dependency-guard
Gradle plugin
#8866
base: master
Are you sure you want to change the base?
Integrate the dependency-guard
Gradle plugin
#8866
Conversation
eaed370
to
2bbee10
Compare
@MGaetan89 We don't need to apply dependency-guard for test modules, as they can use any dependency versions they want. If one test module wants to guard itself dependencies some day, other people can add it manually, and I think it is very quick. After some days thought after creating the related issue: could we only use dependency-guard to guard some dependencies only like we only guard guava and some AndroidX dependencies only? I also want to dependabot work for other dependencies, and we can merge dependabot PRs directly after CI passed for almost safe dependencies. |
2bbee10
to
a3c46f3
Compare
The plugin is applied to every module of the project, on the `runtime*Classpath`
a3c46f3
to
cc8607c
Compare
Done. Let me know if I should remove it from other modules too.
I'll have a look to see what options the plugin provides |
Based on the full configuration options, I'd say that it is not currently possible to control only specific dependencies. |
We can't limit the checks to specific dependencies, but we can ensure that specific dependencies/versions are not included, but adding rule like: allowedFilter = { dependency ->
!dependency.startsWith("com.google.guava:guava") || dependency.endsWith("31.1-jre")
} The plugin will still complain when a dependency is update, but it will show a dedicated error when a forbidden dependency is pulled in. Forbidden dependency:
Dependency update:
|
Can we use filter to affect generated baseline files? If yes, can we refactor the current code to make the management of allowedFilter easily? |
I've added |
Maybe it's possible to configure Dependabot to run |
@MGaetan89 I want to file an issue for dependency-guard to check whether it's possible to request dependency-guard to support it. |
Okay, I found an existed issue that can meet our requirement: dropbox/dependency-guard#78. |
Fixes #8631
I've applied the plugin to every module of the project, on the
runtimeClasspath
configuration (for non-Android modules) andreleaseRuntimeClasspath
(for Android modules).Let me know if some modules should be ignored, or if you want to run the check with an other configuration.
I've ran the
./gradlew dependencyGuardBaseline
command to generate the initial baseline files for each modules.And I've created a new workflow to run the
./gradlew dependencyGuard
on every push/PR.