ppkarwasz commented on issue #4720: URL: https://github.com/apache/eventmesh/issues/4720#issuecomment-2049474880
@Pil0tXia, No, it doesn't support your `known-dependencies.txt` format, but it supports the standard [`libs.versions.toml` file](https://docs.gradle.org/current/userguide/platforms.html#sub:conventional-dependencies-toml). My approach to this issue would be to: 1. Switch to the `libs.versions.toml` file for dependency versioning. This also requires removing the Spring `dependency-management-plugin` you are currently using, 2. Manually create a "bundle" (in `libs.versions.toml`) that contains **all** the third-party dependencies that end up in your binary distribution. E.g.: ```toml [libraries] accessors-smart = { group = 'net.minidev', name = 'accessors-smart', version = '2.4.7' } alibabacloud-gateway-spi = { group = 'com.aliyun', name = 'alibabacloud-gateway-spi', version = '0.0.1' } ... [bundles] dist = ["accessors-smart", "alibabacloud-gateway-spi", ... ] ``` 3. Create a Groovy script that will use the data in the bundle to check that: - your binary distribution archive contains exactly the dependencies from the "bundle", - your binary distribution contains a license file for each dependency from the "bundle". 4. Implement automatic merging of Dependabot PRs, which @vy implemented in Apache Logging Services. This should be a rather safe setup since: - The TOML file contains **structured** data, so a Groovy script can easily deduce that a file called `accessors-smart-2.4.7.jar` corresponds to the `accessors-smart` entry, which should have a license file in `licenses/net.minidev/LICENSE-accessors-smart.txt`, - Dependabot will only update the "libraries" section of your file, it will never add or remove libraries from "bundles". So if a new **transitive** dependency appears or disappears, the Dependabot PR will **fail**, so you can **manually** add or remove a license file. **Remark**: without the last point -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
