Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature to ban certain dependencies #1069

Open
ash211 opened this issue Jul 15, 2023 · 2 comments
Open

Feature to ban certain dependencies #1069

ash211 opened this issue Jul 15, 2023 · 2 comments

Comments

@ash211
Copy link
Contributor

ash211 commented Jul 15, 2023

What happened?

Occasionally I want to ban a dependency in a repo, and fail gradle checks if it appears in versions.lock.

For example, if I've spent some work to migrate off of a problematic library, I'd like to then add it to a banned list to make sure that it doesn't sneakily re-appear in a repo as a result of some auto-upgrade bump. In my example it's a certain maven coordinate, not a specific version of a coordinate.

What did you want to happen?

Some way to provide a list of deps that cannot be depended on, directly or transitively. For example:

dependencies {
  banned {
    module('com.sun.jersey:jersey-server') {
      because 'Unwanted reason x'
    }
    module('org.glassfish.jersey.core:jersey-server') {
      because 'Unwanted reason y'
    }
    module('ch.qos.logback:logback-core') {
      because 'Unwanted reason z'
    }
  }
}
@iamdanfox
Copy link
Contributor

What about this: https://docs.gradle.org/current/userguide/rich_versions.html

    dependencies {
        constraints {
            rootConfiguration 'ch.qos.logback:logback-core', {
                version { reject() }
                because ' ... explanation ... '
            }
        }

@ash211
Copy link
Contributor Author

ash211 commented Mar 8, 2024

I couldn't get that to work (check still passed despite a violating entry in versions.lock), but got this to do a similar thing in /build.gradle:

tasks.register('checkVersionLock') {
    doLast {
        def lockFilePath = "${projectDir}/versions.lock"
        def lockFile = new File(lockFilePath)
        if (!lockFile.exists()) {
            throw new GradleException("The versions.lock file does not exist.")
        }

        def unwantedDependencies = [
          'ch.qos.logback:logback-core',
          // add more to this list..
        ]

        def lines = java.nio.file.Files.readAllLines(java.nio.file.Paths.get(lockFilePath))
        def foundUnwantedDependencies = lines.findAll { line ->
            unwantedDependencies.any { invalidString -> line.startsWith(invalidString) }
        }

        if (!foundUnwantedDependencies.empty) {
            throw new GradleException("The versions.lock file contains invalid lines: \n\n${foundUnwantedDependencies.join('\n')}")
        }
    }
}

tasks.named('check') {
    dependsOn('checkVersionLock')
}

It mostly does what I want, and the only difference is that I've found something where I'm fine with using it in a test source set but not the main source set. So I'd like to ban from all main source sets, but allow in the test one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ash211 @iamdanfox