Question Suppose I am applying a plugin that depends on tran Gradle Community #community-support

Question: Suppose I am applying a plugin that depe...

Kelvin Chung

08/27/2025, 1:35 AM

Question: Suppose I am applying a plugin that depends on, transitively, a jar that is marked as vulnerable or outdated, How do I replace it with a version that is current? Would I need to apply dependency constraints (or a platform) on the buildscript classpath, or will it suffice to put dependency constraints on, say, a convention plugin that applies that plugin?

➕ 1

Martin

08/27/2025, 7:54 AM

Load all your plugins with the

buildscript{}

block and you can use regular dependency management APIs

Martin

08/27/2025, 7:55 AM

Otherwise you can use `pluginManagement.resolutionStrategy`https://docs.gradle.org/current/userguide/plugins.html#sec:plugin_resolution_rules

Martin

08/27/2025, 7:56 AM

But unsure if that last option allows to control the transitive dependencies. I like the

buildscript {}

block for those cases

Martin

08/27/2025, 7:57 AM

Otherwise, make a

build-logic

included build and then you can use the regular dependency management in your

build-logic/build.gradle.kts

Vampire

08/27/2025, 9:29 AM

You don't need to load all your plugins with

buildscript

block to use regular dependency management, you can just as you assumed just set a dependency constraint for that single transitive library in the

buildscript

block.

pluginManagement.resolutionStrategy

is afair totally useless for this as it just allows you to map plugin ids to plugin code artifacts. With your convention plugin you can also do it, yes. Either declare a dependency on the newer version of that transitive dependency, or cleaner would of course be declare a dependency constraint that is published as part of the convention plugin metadata. So what works just fine is for example

Copy code

buildscript {
    dependencies {
        classpath("com.fasterxml.jackson.core:jackson-core:2.19.2")
    }
}

plugins {
    id("com.github.node-gradle.node") version "3.5.1"
}

As well as just having in the build script of the convention plugin

Copy code

dependencies {
    constraints {
        implementation("com.fasterxml.jackson.core:jackson-core:2.19.2")
    }
}

Kelvin Chung

08/27/2025, 7:13 PM

Odd that Dependabot is still reporting a vulnerability after a dependency constraint has been applied. That's probably more of a question on how Dependabot does things than how Gradle does things.

Thomas Broyer

08/28/2025, 6:49 AM

Did you confirm that it had an effect with

./gradlew buildEnvironment

Kelvin Chung

08/28/2025, 7:43 AM

Yes, but it could be from the multiple included build structure that could be a contributing factor. My root build, for example, has a

buildEnvironment

completely devoid of dependencies. So for me, adding a dependency constraint in my platform might not do the trick if the platform itself isn't applied everywhere, for example.

Vampire

08/28/2025, 9:01 AM

If you for example add it to the platform but only use the platform for production dependencies of the project, of course plugin dependencies are not affected for example.

Open in Slack

Previous Next