due diligence: is there an easy way to check whether a dependency is declared in a build script?* One of the devs I support wants to enforce that people add a specific dependency, which carries this "forbidden to declare" dependency transitively. I'm not convinced it's a good idea, but I wanted to check if it was easily doable before I shut it down. *the one thing that comes to mind is checking the dependencies in the "bucket" configurations like

implementation

and

api

.

Perhaps check out the Nebula resolution rules plugin, specifically creating custom rules (JSON files) to reject, deny, substitute as appropriate. That’s a layer over the underlying Gradle APIs that can do the same thing.

hmmm… are dependency substitution rules idempotent/recursion safe? Seems like the friendly way to do this is to declare that the “banned thing” should be substituted for by the internal “blessed thing”?

yea. depends on the specifics - replace with a “good” version, substitute with a replacement, or outright fail.

regarding how to implement, my first instinct would be to reach for:

configurations.all {
  incoming.beforeResolve { deps ->
    //some logic that interrogates deps
  }
}

I appreciate the ideas, guys 🙂

i have done

project.configurations.findByName(
                    "implementation"
                )?.dependencies?.any { it.name == "library-name" } ?: false

Technically speaking, even if you look at first level dependencies, you will not know if they were declared in a build script or somewhere else (e.g in a plugin).

Good point