From b5c2c50aa8dd94167ede2c5223b0d9da597fc452 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 19 Jan 2026 07:04:23 +0000 Subject: [PATCH 1/4] Initial plan From 4db0d8e0659ea8ee0f10302ecbc1925dbedd4d41 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 19 Jan 2026 18:49:41 +0000 Subject: [PATCH 2/4] Force patched transitive versions Co-authored-by: MinecraftFuns <25814618+MinecraftFuns@users.noreply.github.com> --- README.md | 4 ++++ build.gradle.kts | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/README.md b/README.md index 18366f1..ec7c38d 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,10 @@ cargo test - Override the native library path for tests with `LETTERBOX_CORE_LIB_PATH` or the `uniffi.component.letterbox_core.libraryOverride` system property (used by `RustFfiIntegrationTest`). - Gradle uses `gradle.properties` defaults (`org.gradle.jvmargs`, `android.useAndroidX`, Kotlin code style) and `gradle/libs.versions.toml` for dependency versions. +## Dependency overrides + +Gradle forces patched transitive versions in `build.gradle.kts` to satisfy Dependabot advisories without changing application source usage. The forced set currently upgrades buildscript/runtime transitive artifacts pulled in by Android Gradle Plugin tooling (protobuf-java, jdom2, jose4j, commons-lang3, httpclient) and Netty modules that may appear in transitive graphs. If any of these overrides cause incompatibilities, remove or adjust the specific entry and re-run `./gradlew buildEnvironment` or `./gradlew :app:dependencyInsight` to inspect the updated graph. + ## Testing - Rust core: `cargo test`. diff --git a/build.gradle.kts b/build.gradle.kts index 8f59584..8421f75 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -2,6 +2,46 @@ plugins { alias(libs.plugins.androidApplication) apply false } +val forcedDependencies = listOf( + "com.google.protobuf:protobuf-java:4.33.4", + "com.google.protobuf:protobuf-kotlin:4.33.4", + "io.netty:netty-codec:4.2.9.Final", + "io.netty:netty-codec-http:4.2.9.Final", + "io.netty:netty-codec-http2:4.2.9.Final", + "io.netty:netty-common:4.2.9.Final", + "io.netty:netty-handler:4.2.9.Final", + "org.bitbucket.b_c:jose4j:0.9.6", + "org.jdom:jdom2:2.0.6.1", + "org.apache.commons:commons-lang3:3.20.0", + "org.apache.httpcomponents:httpclient:4.5.14", +) + +buildscript { + val buildscriptForcedDependencies = listOf( + "com.google.protobuf:protobuf-java:4.33.4", + "com.google.protobuf:protobuf-kotlin:4.33.4", + "io.netty:netty-codec:4.2.9.Final", + "io.netty:netty-codec-http:4.2.9.Final", + "io.netty:netty-codec-http2:4.2.9.Final", + "io.netty:netty-common:4.2.9.Final", + "io.netty:netty-handler:4.2.9.Final", + "org.bitbucket.b_c:jose4j:0.9.6", + "org.jdom:jdom2:2.0.6.1", + "org.apache.commons:commons-lang3:3.20.0", + "org.apache.httpcomponents:httpclient:4.5.14", + ) + + configurations.configureEach { + resolutionStrategy.force(*buildscriptForcedDependencies.toTypedArray()) + } +} + +allprojects { + configurations.configureEach { + resolutionStrategy.force(*forcedDependencies.toTypedArray()) + } +} + tasks.register("clean") { delete(rootProject.layout.buildDirectory) } From 1e3a268bc64c30d5153310fe55c82b3816f58a5c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 19 Jan 2026 18:52:42 +0000 Subject: [PATCH 3/4] De-duplicate forced dependency list Co-authored-by: MinecraftFuns <25814618+MinecraftFuns@users.noreply.github.com> --- build.gradle.kts | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 8421f75..21720ce 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -16,23 +16,9 @@ val forcedDependencies = listOf( "org.apache.httpcomponents:httpclient:4.5.14", ) -buildscript { - val buildscriptForcedDependencies = listOf( - "com.google.protobuf:protobuf-java:4.33.4", - "com.google.protobuf:protobuf-kotlin:4.33.4", - "io.netty:netty-codec:4.2.9.Final", - "io.netty:netty-codec-http:4.2.9.Final", - "io.netty:netty-codec-http2:4.2.9.Final", - "io.netty:netty-common:4.2.9.Final", - "io.netty:netty-handler:4.2.9.Final", - "org.bitbucket.b_c:jose4j:0.9.6", - "org.jdom:jdom2:2.0.6.1", - "org.apache.commons:commons-lang3:3.20.0", - "org.apache.httpcomponents:httpclient:4.5.14", - ) - - configurations.configureEach { - resolutionStrategy.force(*buildscriptForcedDependencies.toTypedArray()) +gradle.beforeProject { + buildscript.configurations.configureEach { + resolutionStrategy.force(*forcedDependencies.toTypedArray()) } } From b320043b609a69fc5a9036048e5033b8cef297c9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 19 Jan 2026 18:53:56 +0000 Subject: [PATCH 4/4] Format dependency override notes Co-authored-by: MinecraftFuns <25814618+MinecraftFuns@users.noreply.github.com> --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ec7c38d..bd502be 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,9 @@ cargo test ## Dependency overrides -Gradle forces patched transitive versions in `build.gradle.kts` to satisfy Dependabot advisories without changing application source usage. The forced set currently upgrades buildscript/runtime transitive artifacts pulled in by Android Gradle Plugin tooling (protobuf-java, jdom2, jose4j, commons-lang3, httpclient) and Netty modules that may appear in transitive graphs. If any of these overrides cause incompatibilities, remove or adjust the specific entry and re-run `./gradlew buildEnvironment` or `./gradlew :app:dependencyInsight` to inspect the updated graph. +- Gradle forces patched transitive versions in `build.gradle.kts` to satisfy Dependabot advisories without changing application source usage. +- Overrides cover Android Gradle Plugin buildscript/runtime transitive artifacts (protobuf-java, jdom2, jose4j, commons-lang3, httpclient) and Netty modules when they appear in dependency graphs. +- If any override causes incompatibilities, remove or adjust the specific entry and re-run `./gradlew buildEnvironment` or `./gradlew :app:dependencyInsight`. ## Testing