What is a Github Dependabot?
Dependabot provides a way to keep your dependencies up to date. Depending on the configuration, it checks your dependency files for outdated dependencies and opens PRs individually. Then based on requirement PRs can be reviewed and merged.
Dependabot with Gradle
Dependabot has a limited support for Gradle. Dependabot looks for a build.gradle or a settings.gradle in your repo, then scans for outdated dependencies and creates a PR based on available updates.
Issue
The issue aries when dependencies are maintained outside of these two files. Dependabot ONLY and ONLY scans build.gradle or settings.gradle. Most of the projects would follow this standard of having versions in these files, but remaining ones wont work at all.
Solution
There is a workaround to this issue. Follow the steps explained below to tackle this issue.
- Create
dependencies.gradlefile to extract all the dependencies. The file name HAS TO BEdependencies.gradle, otherwise the solution will not work. (version.gradleis also not supported!)
ext {
// -- PLUGINS
springBootVersion = "2.5.5"
springDependencyManagementVersion = "1.0.11.RELEASE"
....
//-- DEPENDENCIES
....
springFoxBootVersion = "3.0.0"
hibernateVersion = "5.4.31.Final"
c3p0Version = "0.9.5.5"
postgresVersion = "42.2.10"
....
supportDependencies = [
springfox_boot_starter : "io.springfox:springfox-boot-starter:$springFoxBootVersion",
hibernate_entitymanager : "org.hibernate:hibernate-entitymanager:$hibernateVersion",
hibernate_core : "org.hibernate:hibernate-core:$hibernateVersion",
c3p0 : "com.mchange:c3p0:$c3p0Version"
hibernate_java8 : "org.hibernate:hibernate-java8:$hibernateVersion",
postgresql : "org.postgresql:postgresql:$postgresVersion",
....
]
}
- Modify
build.gradleto usedependencies.gradle
buildscript {
apply from: 'dependencies.gradle'
}
plugins {
id 'org.springframework.boot' version "${springBootVersion}"
id 'io.spring.dependency-management' version "${springDependencyManagementVersion}"
....
}
dependencies {
....
implementation supportDependencies.springfox_boot_starter
implementation supportDependencies.hibernate_entitymanager
implementation supportDependencies.hibernate_core
implementation supportDependencies.c3p0
....
}
....
- Add dependabot support with
.github/dependabot.ymlfile to the project.
version: 2
updates:
- package-ecosystem: "gradle"
directory: "/"
schedule:
interval: "daily"
- Tadaaaa.. On the next run or on a force run of dependency check, if there are updates you should see PRs opened by dependabot.
Conclusion
Dependabot is an amazing tool, to make sure your project gets latest dependencies. But the support of Gradle as compared to Maven is limited when dependencies are not maintained build.gradle or settings.gradle.
If you dont want to maintain the versions in these two files, you can tweak your gradle files in a way that dependabot can scan the project and will find out the issues with the dependencies.
Special Thanks to Sumedh.
Top comments (6)
Hi there! May I ask, where you found the information that
dependencies.gradleis supported? I cannot find it anywhere docs.To corrobore with @cricketsamya, in github you can see what are the files that dependabot are checking, after you add the .yml file
Also, this is only configured to check updatable dependencies, not to generate security alerts
I dug up Dependbot sources and extensive googling helped me to find this 😁
Huh. Weird, that github doesn't have this documented...
I have already raised a PR for doc change, lets see!