Merge pull request #39 from BTreeMap/copilot/fix-dependabot-alerts

MinecraftFuns · web-flow · commit aa4755265026 · 2026-01-19T23:09:30.000-05:00
Update transitive dependencies to address Dependabot alerts
diff --git a/README.md b/README.md
@@ -55,6 +55,12 @@ cargo test
 - Override the native library path for tests with `LETTERBOX_CORE_LIB_PATH` or the `uniffi.component.letterbox_core.libraryOverride` system property (used by `RustFfiIntegrationTest`).
 - Gradle uses `gradle.properties` defaults (`org.gradle.jvmargs`, `android.useAndroidX`, Kotlin code style) and `gradle/libs.versions.toml` for dependency versions.
 
+## Dependency overrides
+
+- Gradle forces patched transitive versions in `build.gradle.kts` to satisfy Dependabot advisories without changing application source usage.
+- Overrides cover Android Gradle Plugin buildscript/runtime transitive artifacts (protobuf-java, jdom2, jose4j, commons-lang3, httpclient) and Netty modules when they appear in dependency graphs.
+- If any override causes incompatibilities, remove or adjust the specific entry and re-run `./gradlew buildEnvironment` or `./gradlew :app:dependencyInsight`.
+
 ## Testing
 
 - Rust core: `cargo test`.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -2,6 +2,32 @@ plugins {
     alias(libs.plugins.androidApplication) apply false
 }
 
+val forcedDependencies = listOf(
+    "com.google.protobuf:protobuf-java:4.33.4",
+    "com.google.protobuf:protobuf-kotlin:4.33.4",
+    "io.netty:netty-codec:4.2.9.Final",
+    "io.netty:netty-codec-http:4.2.9.Final",
+    "io.netty:netty-codec-http2:4.2.9.Final",
+    "io.netty:netty-common:4.2.9.Final",
+    "io.netty:netty-handler:4.2.9.Final",
+    "org.bitbucket.b_c:jose4j:0.9.6",
+    "org.jdom:jdom2:2.0.6.1",
+    "org.apache.commons:commons-lang3:3.20.0",
+    "org.apache.httpcomponents:httpclient:4.5.14",
+)
+
+gradle.beforeProject {
+    buildscript.configurations.configureEach {
+        resolutionStrategy.force(*forcedDependencies.toTypedArray())
+    }
+}
+
+allprojects {
+    configurations.configureEach {
+        resolutionStrategy.force(*forcedDependencies.toTypedArray())
+    }
+}
+
 tasks.register<Delete>("clean") {
     delete(rootProject.layout.buildDirectory)
 }
