build(deps)(deps): bump gradle-wrapper from 8.10.2 to 9.5.1 in /ssrf-guard-springai-demo#36
Conversation
Bumps [gradle-wrapper](https://github.com/gradle/gradle) from 8.10.2 to 9.5.1. - [Release notes](https://github.com/gradle/gradle/releases) - [Commits](gradle/gradle@v8.10.2...v9.5.1) --- updated-dependencies: - dependency-name: gradle-wrapper dependency-version: 9.5.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
…tifies (#37) After yesterday's dependabot.yml went live, Dependabot opened 18 individual PRs to bump every demo from Spring Boot 3.5.3 → 4.0.6 and Gradle wrapper 8.10.2 → 9.5.1 (#19-#36). The grouped PRs (e.g. #18 for spring-boot patch/minor) worked correctly; what didn't was that default group semantics excluded `version-update:semver-major`, so major bumps escaped grouping and landed as individual PRs per demo. Beyond the noise, the real problem is that the demos must mirror the Spring Boot baseline each *starter* was certified against — per its README: > Spring Boot 3.3+ on Java 21+ (built/tested against 3.5) easy-paging-spring-boot-starter has not (yet) published a release certified against Spring Boot 4 / Spring Framework 7 / Jakarta EE 11. Auto-bumping demos to SB4 would silently advertise an unverified combination to anyone who clones a demo as a starting point. This commit adds an `ignore` block that holds majors for: - org.springframework.boot:* (the BOM driver) - io.spring.dependency-management - org.springframework:* and org.springframework.cloud:* (transitively pulled in; majors can land off the SB cadence) - gradle (wrapper) — each major needs hand verification of deprecations-now-errors before going green across 9 demos Patch/minor bumps still flow through (and group correctly — PR #18 already proved that path), so security fixes within the 3.5.x line land normally. Lift these holds when each starter publishes its SB4-compatible release line; the demos can then be upgraded together in one intentional PR per starter, not piecemeal by a robot. Follow-up: - Merge PR #18 (grouped patch/minor across 9 demos) and PRs #14-#17 (github-actions minors) since they're inside policy. - Close PRs #19-#36 (18 stragglers); the new policy guarantees they won't reappear on the next Dependabot run.
|
Superseded by #37 ( |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
jlc488
deleted the
dependabot/gradle/ssrf-guard-springai-demo/gradle-wrapper-9.5.1
branch
1 participant
Bumps gradle-wrapper from 8.10.2 to 9.5.1.
Release notes
Sourced from gradle-wrapper's releases.
... (truncated)
Commits
fd78213Update Documentation Infrastructure: Fix scrolling issue in user manual (#37861)7758437fix scroll2fd605fOnly try to run as worker thread in DefaultBuildOperationQueue (#37845)af69849Release notes for Gradle 9.5.1 (#37853)f4d9d03Release notes for Gradle 9.5.101eda3aAddress review feedback on worker-lease retry changes7024e15Revert enrich file visitor with size info onreleasebranch (#37848)d51476fFix tryRunAsWorkerThread null-return test to match contract090ebabRevert "Add getLength() to FilePropertyVisitor.VisitState"bceab24Revert "Fix annotation"Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)