Scope Dependabot to published runtime deps (stop auditing build-time AGP tooling)#36
Merged
Merged
Conversation
Every Dependabot alert on this repo has been a build-time tooling transitive: the Android Gradle Plugin and its stack (bundletool, apksig, lint, the Unified Test Platform, grpc-netty, bouncycastle, protobuf, jackson, woodstox, okhttp, ...). None of it ships in the published :core / :compose-ui artifacts. GitHub's managed Automatic Dependency Submission submits the entire Gradle graph, so Dependabot audits all of that build tooling. This scopes a custom submission to the published libraries' runtime classpaths (:core runtimeClasspath, :compose-ui releaseRuntimeClasspath) — which resolve to only kotlin-stdlib/joni/jcodings/gson and Compose, i.e. exactly what consumers get. Real future vulns in those still get flagged; build-time noise stops. Activation: disable the managed 'Automatic dependency submission' in Settings -> Code security, so its full-graph snapshot no longer merges with this scoped one. Follow-up: once that is verified clean, the buildscript force(...) block from #34 is redundant (the buildscript classpath is no longer submitted) and can be removed.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
KotlinTextMate Benchmark
Details
| Benchmark suite | Current: 8ce100c | Previous: c729827 | Ratio |
|---|---|---|---|
dev.textmate.benchmark.TokenizerBenchmark.tokenizeFile ( {"grammar":"kotlin"} ) |
32.648888935483875 ms/op |
32.253007061187915 ms/op |
1.01 |
dev.textmate.benchmark.TokenizerBenchmark.tokenizeFile ( {"grammar":"json"} ) |
12.681656005485232 ms/op |
12.145240534774931 ms/op |
1.04 |
dev.textmate.benchmark.TokenizerBenchmark.tokenizeFile ( {"grammar":"markdown"} ) |
412.5986815555555 ms/op |
439.63217492 ms/op |
0.94 |
dev.textmate.benchmark.TokenizerBenchmark.tokenizeFile ( {"grammar":"javascript"} ) |
1528.242254 ms/op |
1582.4230711999999 ms/op |
0.97 |
This comment was automatically generated by workflow using github-action-benchmark.
ivan-magda
added a commit
that referenced
this pull request
May 28, 2026
The alerts #34 targeted were all build-time AGP tooling transitives that never ship. They are now resolved at the source by scoping the dependency submission to the published runtime classpaths (#36) — the Dependabot dashboard shows 0 open alerts. With the buildscript classpath no longer in the submitted graph, this force block silences nothing. Keeping it only risks silently downgrading/conflicting with AGP's bundled tooling on a future AGP upgrade (already seen with commons-io 2.15.1 -> 2.14.0). ./gradlew build stays green without it. This reverts commit c729827.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every Dependabot alert this repo has received (27, then 29 after the last graph refresh) is a build-time tooling transitive, not a dependency that ships to anyone. They come from the Android Gradle Plugin and its stack:
bundletool,apksig,sdklib, lint, the Unified Test Platform, and their transitives —grpc-netty,bouncycastle,protobuf,jackson,woodstox,okhttp,commons-*,jdom2,jose4j, …GitHub's managed Automatic Dependency Submission submits the entire resolved Gradle graph (every project, every configuration), so Dependabot ends up auditing all of that build tooling. For a published library that's pure noise — and it's a moving target, since each AGP/lint config the submission resolves drags in more.
The earlier buildscript
force(...)workaround (#34) could only reach the buildscript classpath, so it fixed 13 alerts and left the rest (they live in project tooling configs it can't touch).Fix
Audit what actually ships. This adds a dependency-submission workflow scoped to the published libraries' runtime classpaths:
:core→runtimeClasspath:compose-ui→releaseRuntimeClasspathThose resolve to exactly the consumer-facing set —
kotlin-stdlib,joni,jcodings,gson, and Compose — none of the flagged tooling (verified locally: 0 matches for netty/bouncycastle/protobuf/jackson/woodstox/okhttp/commons-*/jdom/jose4j). Real future vulnerabilities in those shipped deps are still caught; build-time noise stops at the source.Required activation step
The managed submission can't be scoped, so it has to be turned off or its full-graph snapshot merges with this one and the noise remains:
After that, the next push to
mainruns this workflow; the build-tool alerts clear because they're no longer in the submitted graph. (workflow_dispatchis enabled, so it can also be run on demand from the Actions tab.)Follow-up
Once the scoped graph is verified clean, the
buildscript { … force(…) }block from #34 is redundant — the buildscript classpath is no longer submitted — and can be removed. It's harmless to keep until then, so this PR leaves it in place to avoid any regression window.