From 0ab8722fa9e6ae546ebf6cc9610a484ecdba4a91 Mon Sep 17 00:00:00 2001 From: Guillermo Mazzola Date: Wed, 20 Aug 2025 10:00:45 +0200 Subject: [PATCH 1/5] Updated `dependabot`'s docs to add `Gradle Wrapper` --- data/reusables/dependabot/supported-package-managers.md | 1 + 1 file changed, 1 insertion(+) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 4da4a7de5688..a028de2ec8d7 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -122,6 +122,7 @@ For more information about using {% data variables.product.prodname_dependabot_v {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: * `build.gradle`, `build.gradle.kts` (for Kotlin projects) +* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper) * `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog) * `gradle.lockfile` (for projects using Gradle dependency locking) * `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) From 0d5b04cf4c958ffce709df0f087ab6da123e04dc Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Fri, 16 Jan 2026 16:26:33 -0600 Subject: [PATCH 2/5] Update Gradle wrapper description in documentation Clarified the terminology for the Gradle wrapper in the documentation. --- data/reusables/dependabot/supported-package-managers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index a028de2ec8d7..491665abe9fa 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -122,7 +122,7 @@ For more information about using {% data variables.product.prodname_dependabot_v {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: * `build.gradle`, `build.gradle.kts` (for Kotlin projects) -* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper) +* `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) * `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog) * `gradle.lockfile` (for projects using Gradle dependency locking) * `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) From a4365ccf6cc9f588c2478fdc7a3a793c93db419b Mon Sep 17 00:00:00 2001 From: Yeikel Santana Date: Wed, 28 Jan 2026 04:40:13 -0500 Subject: [PATCH 3/5] Explain the dependency name for the Gradle Wrapper (#1) * Updated `dependabot`'s docs to add `Gradle Wrapper` * Explain the dependency name for the Gradle Wrapper * Reword --------- Co-authored-by: Guillermo Mazzola --- data/reusables/dependabot/supported-package-managers.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 491665abe9fa..c257e5a263a5 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -122,7 +122,7 @@ For more information about using {% data variables.product.prodname_dependabot_v {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: * `build.gradle`, `build.gradle.kts` (for Kotlin projects) -* `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) +* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper) * `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog) * `gradle.lockfile` (for projects using Gradle dependency locking) * `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) @@ -135,6 +135,7 @@ For {% data variables.product.prodname_dependabot_security_updates %}, Gradle su > [!NOTE] > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert. > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file. +> * When updating the Gradle Wrapper, {% data variables.product.prodname_dependabot %} uses `gradle-wrapper` for the dependency name. ### Helm Charts From ad1b8f63edc43481e5e57b8be91b0c0c28461607 Mon Sep 17 00:00:00 2001 From: Yeikel Santana Date: Wed, 28 Jan 2026 04:40:47 -0500 Subject: [PATCH 4/5] Document that Gradle runs when updating the Gradle Wrapper (#2) * Updated `dependabot`'s docs to add `Gradle Wrapper` * Document that Gradle runs when updating the Gradle Wrapper * Remove empty line --------- Co-authored-by: Guillermo Mazzola --- data/reusables/dependabot/supported-package-managers.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index c257e5a263a5..6372083c866b 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -128,6 +128,12 @@ For more information about using {% data variables.product.prodname_dependabot_v * `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) * Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property). +{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper: +* `gradle/wrapper/gradle-wrapper.properties` +* `gradlew` +* `gradlew.bat` +* `gradle/wrapper/gradle-wrapper.jar` + {% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot). For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). From 1395afc725ae45f8eeb23a734df2a62531448c97 Mon Sep 17 00:00:00 2001 From: kbukum1 Date: Tue, 3 Feb 2026 14:39:10 -0600 Subject: [PATCH 5/5] Apply suggestion from @kbukum1 --- data/reusables/dependabot/supported-package-managers.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 6372083c866b..920b6ba257b9 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -120,20 +120,19 @@ For more information about using {% data variables.product.prodname_dependabot_v ### Gradle -{% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: +{% data variables.product.prodname_dependabot %} supports updates to the following files without needing to run Gradle: + * `build.gradle`, `build.gradle.kts` (for Kotlin projects) -* `gradle/wrapper/gradle-wrapper.properties` (for Gradle wrapper) * `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog) * `gradle.lockfile` (for projects using Gradle dependency locking) -* `gradle/wrapper/gradle-wrapper.properties` (for the Gradle Wrapper) * Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property). -{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper: +{% data variables.product.prodname_dependabot %} runs Gradle to update the Gradle Wrapper: + * `gradle/wrapper/gradle-wrapper.properties` * `gradlew` * `gradlew.bat` * `gradle/wrapper/gradle-wrapper.jar` - {% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot). For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api).