As per requirement from Information Security to enhance dependency management and ensure all components of third-party libraries of Gradle repositories can be scanned for potential security issues accurately, the dependency locking of Gradle repositories should be standardized. Action required before the end of Dec 2022.
[UPDATE 15 NOV 2022]
[UPDATE 02 SEP 2022]
[UPDATE 29 AUG 2022]
Previously we had been using the nebula gradle plugin for locking dependency versions in gradle repositories. Later, Gradle added a built-in dependency locking method which is better than the nebula. Moving forward, in order to maintain more secure and organized repositories, this will be our standard dependency locking mechanism for gradle repositories.
backend / android teams, who haven’t followed the standardized dependency locking system in any of their repositories, identified by meeting one of the requirements below:
com.netflix.nebula:gradle-dependency-lock-plugin
.
7.0
.
You should update to the standard dependency locking mechanism by End of September 2022. We’ve described the migration steps on this page. They have been tested in the fpraapi and plutus backend services. Providing 1 day effort per repository should be more than enough to standardize dependency locking.
Please contact @Fariskhi, @Clavin June, and @Sal team through the #backend slack channel.