Renovate updates gradle substitutions #39858

twam · 2025-12-08T08:53:39Z

twam
Dec 8, 2025

How are you running Renovate?

Self-hosted Renovate

Which platform you running Renovate on?

GitHub Enterprise Server

Which version of Renovate are you using?

41.173.1

Please tell us more about your question or problem

In our build.gradle.kts files we 'fix' CVEs but substituting vulnerable versions we indirectly depend on using something like

configurations.configureEach {
     resolutionStrategy.dependencySubstitution {
         substitute(module("ch.qos.logback:logback-core:1.5.19"))
             .using(module("ch.qos.logback:logback-core:1.5.20"))
     }
}

This works until the next Renovate run which auto-updates (we allow patch updates to be auto-merged) to

configurations.configureEach {
     resolutionStrategy.dependencySubstitution {
         substitute(module("ch.qos.logback:logback-core:1.5.20"))
             .using(module("ch.qos.logback:logback-core:1.5.20"))
     }
}

I didn't find anyway to exclude the first of the versions to be updated. I don't want to exclude the lib (or that version) entirely as it's still fine to updated it elsewhere or the second version to a newer one.

Churro · 2025-12-08T11:41:17Z

Churro
Dec 8, 2025
Collaborator

At the moment, the gradle parser in renovate doesn't handle DependencySubstitution constructs that were introduced with gradle 9.x.

To workaround this limitation you could either:

define a package rule that disables updates for ch.qos.logback:logback-core:1.5.19 only in build.gradle.kts using matchFileNames
use dependency constraints functionality instead (example here)

3 replies

twam Dec 8, 2025
Author

Are the any plans/timeline to support DependencySubstitution?

I wasn't aware of the latter option, which looks like a good alternative in this case, but won't work for my current CVE to fix where also the package name slightly changes :(

Churro Dec 8, 2025
Collaborator

Are the any plans/timeline to support DependencySubstitution?

None that I'd be aware of. I'm contributing to this project in my spare time.

jamietanna Dec 10, 2025
Maintainer

If you're able to write a feature request (can be done in here instead of a separate "Suggest a Feature") we can raise an Issue to track it

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Renovate updates gradle substitutions #39858

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Renovate updates gradle substitutions #39858

Uh oh!

Uh oh!

twam Dec 8, 2025

How are you running Renovate?

Which platform you running Renovate on?

Which version of Renovate are you using?

Please tell us more about your question or problem

Replies: 1 comment · 3 replies

Uh oh!

Churro Dec 8, 2025 Collaborator

Uh oh!

twam Dec 8, 2025 Author

Uh oh!

Churro Dec 8, 2025 Collaborator

Uh oh!

jamietanna Dec 10, 2025 Maintainer

twam
Dec 8, 2025

Replies: 1 comment 3 replies

Churro
Dec 8, 2025
Collaborator

twam Dec 8, 2025
Author

Churro Dec 8, 2025
Collaborator

jamietanna Dec 10, 2025
Maintainer