All dependencies are assigned to the settings.gradle.kts file
#80
Comments
|
FYI here's the commit that flattened the model to a single "manifest" for the entire build invocation. Ideally, each resolved dependency version could be traced to the one (or several) places where it is declared. Unfortunately Gradle makes this very difficult to determine, and simply linking to the subproject that resolves a dependency (the previous behaviour) wasn't particular helpful if the version is defined elsewhere, like in a plugin or a BUT, linking the dependency to each subproject has the major downside of creating many more dependabot alerts for the project when this version needed upgrading. When working with real-world projects this made the Dependency Graph support much less useful, since the 100s of alerts generated led to users not trusting the tool. So until we can reliably link a dependency version to the source file where it is defined, I'd prefer to point to the entire Gradle build (either |
To clarify this: imaging a Gradle build with 100 Java subprojects, and each subproject applies a convention plugin to configure the version of Junit used. In this case, we should be linking the junit dependency to the plugin sources as the single location where the version is defined. But since we don't have a mechanism to do this, I don't think we should link this junit version to each of the subprojects that applies that plugin. Instead, we simply link the junit version to the entire Gradle build, relying on the users to determine which exact source file needs to be updated. |
Friendly ping to @jhutchings1 This seems like a bug, and/or a bad user experience for this feature.
This seems like something that could be tracked if the
This seems like a reasonable "guess" could be made for a majority of cases, rather than always being incorrect by just using the |
🤔 I see your rationale, but I don't entirely agree. The dependency is tied to a specific subproject, and each subproject has a dedicated |
Understood that this isn't ideal behavior, but we're not anticipating making any changes to the behavior of the API at this time. |
|
adding to the discussion here - medium sized Gradle build, 49 modules, 1 extra included build. Dependency analysis is cool, but I have no clue where the deps are coming from as all of them say Example: GitHub raised a warning about |
|
Nope, I wasn't aware of those docs. I did manage to solve all of my issues by manually invoking the GitHub variant of the plugin locally though. I think the most ergonomic way for solving this would be perhaps exporting the generated |
|
Thanks @madisp. |
|
We use renovate and was attempting to use the gradle dependency graph to auto-create PRs. The config passed to renovate come directly from this plugin. Therefore it is telling renovate to look in I'm not a java developer, but best I can tell you can't declare dependencies inside of Would it be possible to make this file configurable? We don't have any subprojects so setting it to |
Looking at the self-test results, all of the dependencies are being bound to the
settings.gradle.ktsfile instead of binding the dependencies to the respective subproject'sbuild.gradle.ktsfile.https://github.com/gradle/github-dependency-graph-gradle-plugin/network/dependencies
For example, search for
junit: https://github.com/gradle/github-dependency-graph-gradle-plugin/network/dependencies?q=junitThis dependency could be traced to either of these two locations:
github-dependency-graph-gradle-plugin/plugin/build.gradle.kts
Line 44 in 03dc2f1
github-dependency-graph-gradle-plugin/gradle/libs.versions.toml
Lines 19 to 20 in 03dc2f1
However, neither of these files are linked to in the GitHub UI
The text was updated successfully, but these errors were encountered: