Gradle is happy to announce a technical partnership with GitHub focusing on multiple areas, starting with supply chain security and developer experience. With this partnership, we establish a direct connection between organizations and plan to cooperate on integrations between GitHub and Gradle to promote best security practices among Gradle users.
We’re live! Thanks to all contributors who participated in the release and GitHub Actions evaluation, and kudos to @daz who did most of the implementation and documentation for this project!
I hope this means dependabot will soon start working correctly. Instead of thinking that version catalog dependencies are all actually used… and ideally making correct pull requests with lockfiles. Definately security issues shouldn’t be created if the deps aren’t used.
P.S. I’d be ok with PR’s that only updated libs.versions.toml too, but when it does actually update something used it’s broken because it doesn’t fix the lockfiles.