• Stars
    star
    404
  • Rank 106,897 (Top 3 %)
  • Language
    Kotlin
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Gradle plugin that guards against unintentional dependency changes.

๐Ÿ›ก๏ธ Dependency Guard

LICENSE Latest Stable Latest Snapshot CI

A Gradle plugin that helps you guard against unintentional dependency changes.

Surface Transitive Dependency Changes

Comparison to a baseline occurs whenever you run the dependencyGuard Gradle task.

A small single version bump of androidx.activity from 1.3.1 -> 1.4.0 causes many libraries to transitively update.

Provide Custom Rules for Allowed Dependencies

For a given configuration, you may never want junit to be shipped. You can prevent this by modifying the allowedFilter rule to return !it.contains("junit") for your situation.

Why Was Dependency Guard Built?

As platform engineers, we do a lot of library upgrades, and needed insight into how dependencies were changing over time. Any small change can have a large impact. On large teams, it's not possible to track all dependency changes in a practical way, so we needed tooling to help. This is a tool that surfaces these changes to any engineer making dependency changes, and allows them to re-baseline if it's intentional. This provides us with historical reference on when dependencies (including transitive) are changed for a given configuration.

Goals:

  • Surface transitive and non-transitive dependencies changes for our production build configurations. This helps during version bumps and when new libraries are added.
  • Provide the developer with the ability to easily accept changes as needed.
  • Add deny-listing for production build configurations to explicitly block some dependencies from production.
  • Include a record of the change in Git when their code is merged to easily diagnose/debug crashes in the future.
  • Be deterministic. De-duplicate entries, and order alphabetically.

Real World Issues Which Dependency Guard Addresses

  • Accidentally shipping a testing dependency to production because implementation was used instead of testImplementation - @handstandsam
    • Dependency Guard has List and Tree baseline formats that can compared against to identify changes. If changes occur, and they are expected, you can re-baseline.
  • Dependency versions were transitively upgraded which worked fine typically, but caused a runtime crash later that was hard to figure out why it happened.
    • You would see the diff off dependencies in Git since the last working version and be able to have quickly track down the issue.
  • After adding Ktor 2.0.0, it transitively upgraded to Kotlin 1.6.20 which caused incompatibilities with Jetpack Compose 1.1.1 which requires Kotlin 1.6.10 - @joreilly
    • During large upgrades it is important to see how a single version bump will impact the rest of your application.
  • Upgrading to the Android Gradle Plugin transitively downgraded protobuf plugin which caused issues - @AutonomousApps

Setup and Configuration

Step 1: Adding The Dependency Guard Gradle Plugin and Baselining

// sample/app/build.gradle.kts
plugins {
  id("com.dropbox.dependency-guard") version "0.4.3"
}

Step 2: Run ./gradle dependencyGuard and Configure

This will show a list of available configuration(s) for this Gradle module.

You can choose the configurations you want to monitor.

We suggest monitoring your release configuration to know what is included in production builds. You can choose to monitor any classpath configuration with Dependency Guard.

// sample/app/build.gradle.kts
dependencyGuard {
    // All dependencies included in Production Release APK
    configuration("releaseRuntimeClasspath") 
}

NOTE: Checkout the "Adding to the Buildscript Classpath" section below if the plugin can't be resolved.

Step 3: Run ./gradlew dependencyGuard to Detect Changes

It's suggested to run in your CI or pre-commit hooks to detect these changes. If this task is not run, then you aren't getting the full benefit of this plugin.

Bump Version and Detect Change

Step 4: Rebaselining to Accept Changes

If any dependencies have changed, you will be provided with the ./gradlew dependencyGuardBaseline task to update the baseline and intentionally accept these new changes.

Rebaseline to Accept Change

Additional Configuration Options

Allow Rules for Dependencies (Optional)

If you have explicit test or debugging dependencies you never want to ship, you can create rules for them here.

dependencyGuard {
    configuration("releaseRuntimeClasspath") {
        allowedFilter = {
            // Disallow dependencies with a name containing "junit"
            !it.contains("junit")
        }
    }
}

Configuring Your Dependency Baseline (Optional)

By default, Dependency Guard tracks modules and artifacts in a list format is generated at dependencies/${configurationName}.txt.

org.jetbrains.kotlin:kotlin-stdlib-common:1.6.10
org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.10
org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10
org.jetbrains.kotlin:kotlin-stdlib:1.6.10
org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.2
org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2
org.jetbrains:annotations:13.0

You can choose to not track modules or artifacts:

dependencyGuard {
  configuration("releaseRuntimeClasspath") {
    // What is included in the list report
    artifacts = true // Defaults to true
    modules = false // Defaults to false
  }
}

Tree Format (Optional)

The builtin Dependencies task from Gradle is :dependencies. The tree format support for Dependency Guard leverages this under the hood and targets it for a specific configuration.

The dependency-tree-diff library in extremely helpful tool, but is impractical for many projects in Continuous Integration since it has a lot of custom setup to enable it. (related discussion). dependency-tree-diff's diffing logic is actually used by Dependency Guard to highlight changes in trees.

The tree format proved to be very helpful, but as we looked at it from a daily usage standpoint, we found that the tree format created more noise than signal. It's super helpful to use for development, but we wouldn't recommend storing the tree format in Git, especially in large projects as it gets noisy, and it becomes ignored. In brainstorming with @joshfein, it seemed like a simple ordered, de-duplicated list of dependencies were better for storing in CI.

dependencies/releaseRuntimeClasspath.tree.txt


------------------------------------------------------------
Project ':sample:app'
------------------------------------------------------------

releaseRuntimeClasspath - Resolved configuration for runtime for variant: release
\--- project :sample:module1
     +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10
     |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.6.10
     |    |    +--- org.jetbrains:annotations:13.0
     |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.6.10
     |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.10
     |         \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.10 (*)
     \--- project :sample:module2
          +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.10 (*)
          \--- org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2
               \--- org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.2
                    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.5.30 -> 1.6.10 (*)
                    \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.5.30 -> 1.6.10

(*) - dependencies omitted (listed previously)

A web-based, searchable dependency report is available by adding the --scan option.

Enabling Tree Format

Enable the tree format for a configuration with the following option:

dependencyGuard {
  configuration("releaseRuntimeClasspath") {
    tree = true // Enable Tree Format
  }
}

Creating a Tree Format Baseline

Detecting Changes in Tree Format

Rebaselining Tree Format

Additional Information

Which Configurations Should be Guarded?

  • Production App Configurations (what you ship)
  • Production Build Configurations (what you use to build your app)

Changes to either one of these can change your resulting application.

How Does Dependency Guard Work?

Dependency Guard writes a baseline file containing all your transitive dependencies for a given configuration that should be checked into git.

Under the hood, we're leveraging the same logic that the Gradle dependencies task uses and displays in build scans, but creating a process which can guard against changes.

A baseline file is created for each build configuration you want to guard.

If the dependencies do change, you'll get easy to read warnings to help you visualize the differences, and accept them by re-baselining. This new baseline will be visible in your Git history to help understand when dependencies changed (including transitive).

Full Configuration Options

dependencyGuard {
  configuration("releaseRuntimeClasspath") {
    // What is included in the list report
    artifacts = true // Defaults to true
    modules = false // Defaults to false

    // Tree Report
    tree = false // Defaults to false

    // Filter through dependencies and return true if allowed.  Build will fail if unallowed.
    allowedFilter = {dependencyName: String ->
        return true // Defaults to true
    }
    // Modify a dependency name or remove it (by returning null) from the baseline file
    baselineMap = { dependencyName: String ->
      return dependencyName // Defaults to return itself
    }
  }
}

Suggested Workflows

The Dependency Guard plugin adds a few tasks for you to use in your Gradle Builds. Your continuous integration environment would run the dependencyGuard task to ensure things did not change, and require developers to re-baseline using the dependencyGuardBaseline tasks when changes were intentional.

Gradle Tasks added by Dependency Guard

dependencyGuard

Compare against the configured transitive dependency report baselines, or generate them if they don't exist.

This task is added to any project that you apply the plugin to. The plugin should only be applied to project you are interested in tracking transitive dependencies for.

dependencyGuardBaseline

This task overwrites the dependencies in the dependencies directory in your module.

Baseline Files

Baseline files are created in the "dependencies" folder in your module. The following reports are created for the :sample:app module by running ./gradlew :sample:app:dependencyGuardBaseline

Adding to the Buildscript Classpath

Snapshot versions are under development and change, but can be used by adding in the snapshot repository

// Root build.gradle
buildscript {
    repositories {
        mavenCentral()
        google()
        gradlePluginPortal()
        // SNAPSHOT Versions of Dependency Guard
        maven { url "https://s01.oss.sonatype.org/content/repositories/snapshots" }
    }
    dependencies {
        classpath("com.dropbox.dependency-guard:dependency-guard:0.4.3")
    }
}

License

Copyright (c) 2022 Dropbox, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

More Repositories

1

zxcvbn

Low-Budget Password Strength Estimation
CoffeeScript
15,061
star
2

lepton

Lepton is a tool and file format for losslessly compressing JPEGs by an average of 22%.
C++
5,008
star
3

godropbox

Common libraries for writing Go services/applications.
Go
4,146
star
4

hackpad

Hackpad is a web-based realtime wiki.
Java
3,520
star
5

djinni

A tool for generating cross-language type declarations and interface bindings.
C++
2,860
star
6

json11

A tiny JSON library for C++11.
C++
2,478
star
7

PyHive

Python interface to Hive and Presto. ๐Ÿ
Python
1,671
star
8

pyannotate

Auto-generate PEP-484 annotations
Python
1,421
star
9

css-style-guide

Dropboxโ€™s (S)CSS authoring style guide
1,143
star
10

goebpf

Library to work with eBPF programs from Go
Go
1,135
star
11

dbxcli

A command line client for Dropbox built using the Go SDK
Go
1,048
star
12

securitybot

Distributed alerting for the masses!
Python
993
star
13

dropbox-sdk-js

The Official Dropbox API V2 SDK for Javascript
JavaScript
934
star
14

dropbox-sdk-python

The Official Dropbox API V2 SDK for Python
Python
885
star
15

rust-brotli

Brotli compressor and decompressor written in rust that optionally avoids the stdlib
Rust
811
star
16

scooter

An SCSS framework & UI library for Dropbox Web.
CSS
789
star
17

changes

A dashboard for your code. A build system.
Python
759
star
18

SwiftyDropbox

Swift SDK for the Dropbox API v2.
Swift
650
star
19

pb-jelly

A protobuf code generation framework for the Rust language developed at Dropbox.
Rust
611
star
20

AffectedModuleDetector

A Gradle Plugin to determine which modules were affected by a set of files in a commit.
Kotlin
603
star
21

fast_rsync

An optimized implementation of librsync in pure Rust.
Rust
601
star
22

sqlalchemy-stubs

Mypy plugin and stubs for SQLAlchemy
Python
570
star
23

dropbox-sdk-java

A Java library for the Dropbox Core API.
Java
565
star
24

pyxl

A Python extension for writing structured and reusable inline HTML.
Python
525
star
25

stone

The Official API Spec Language for Dropbox API V2
Python
399
star
26

nsot

Network Source of Truth is an open source IPAM and network inventory database
Python
392
star
27

focus

A Gradle plugin that helps you speed up builds by excluding unnecessary modules.
Kotlin
382
star
28

divans

Building better compression together
Rust
368
star
29

dropbox-sdk-dotnet

The Official Dropbox API V2 SDK for .NET
C#
327
star
30

hydra

A multi-process MongoDB collection copier.
Python
319
star
31

mypy-PyCharm-plugin

A simple plugin that allows running mypy from PyCharm and navigate between errors
Java
313
star
32

nn

Non-nullable pointers for C++
C++
312
star
33

avrecode

Lossless video compression: decode an H.264-encoded video file and reversibly re-encode it as as a smaller file.
C++
275
star
34

componentbox

Reactive server-driven UI for iOS, Android, and web
Kotlin
260
star
35

dropshots

Easy on-device screenshot testing for Android.
Kotlin
256
star
36

python-zxcvbn

A realistic password strength estimator.
HTML
253
star
37

zxcvbn-ios

A realistic password strength estimator.
Objective-C
223
star
38

llm-security

Dropbox LLM Security research code and results
Python
208
star
39

dbx_build_tools

Dropbox's Bazel rules and tools
Go
208
star
40

nautilus-dropbox

Dropbox Integration for Nautilus
Python
196
star
41

dropbox-sdk-go-unofficial

โš ๏ธ An UNOFFICIAL Dropbox v2 API SDK for Go
Go
184
star
42

dropbox-sdk-obj-c

Official Objective-C SDK for the Dropbox API v2.
Objective-C
182
star
43

rust-alloc-no-stdlib

An interface to a generic allocator so a no_std rust library can allocate memory, with, or without stdlib being linked.
Rust
172
star
44

pygerduty

A Python library for PagerDuty.
Python
164
star
45

kglb

KgLb - L4 Load Balancer
Go
147
star
46

pytest-flakefinder

Runs tests multiple times to expose flakiness.
Python
140
star
47

mdwebhook

A sample app that uses webhooks to convert Markdown files to HTML.
Python
136
star
48

ts-transform-import-path-rewrite

TS AST transformer to rewrite import path
TypeScript
129
star
49

datagraph

Haskell
127
star
50

miniutf

A C++ library for basic Unicode manipulation.
C
119
star
51

PhotoWatch

A demo app for the SwiftyDropbox SDK.
Swift
118
star
52

pilot

Cross-platform MVVM in Swift
Swift
113
star
53

librsync

Dropbox modified version of librysnc
C
109
star
54

XCoverage

Xcode Plugin that displays coverage data in the text editor
Objective-C
100
star
55

vsmc

Vendor Security Model Contract
97
star
56

merou

Permission management service
Python
95
star
57

othw

OAuth 2 the Hard Way - calling the Dropbox API in lots of languages without any Dropbox or OAuth libraries
JavaScript
86
star
58

hypershard-android

CLI tool for collecting tests
Kotlin
84
star
59

trapperkeeper

A suite of tools for ingesting and displaying SNMP traps.
Python
80
star
60

idle.ts

A TypeScript library used to detect idle/active users.
TypeScript
79
star
61

amqp-coffee

An AMQP 0.9.1 client for Node.js.
CoffeeScript
78
star
62

dropbox-sdk-rust

Dropbox SDK for Rust
Rust
75
star
63

lopper

A lightweight C++ framework for vectorizing image-processing code
C++
75
star
64

differ

C++
73
star
65

dbx-career-framework

Python
70
star
66

typed-css-modules-webpack-plugin

Generate TypeScript typing declarations for your TypeScript + CSS Modules project.
TypeScript
69
star
67

kaiken

User scoping library for Android applications.
Kotlin
69
star
68

dropbox-api-content-hasher

Code to compute the Dropbox API's "content_hash"
Java
69
star
69

stopwatch

Scoped, nested, aggregated python timing library
Python
65
star
70

llama

Library for testing and measuring network loss and latency between distributed endpoints.
Go
62
star
71

nodegallerytutorial

Step by step tutorial to build a production-ready photo gallery Web Service using Node.JS and Dropbox.
JavaScript
62
star
72

load_management

This repository contains Go utilities for managing isolation and improving reliability of multi-tenant systems.
Go
54
star
73

rust-brotli-decompressor

An implementation of https://github.com/google/brotli in rust avoiding the stdlib
Rust
53
star
74

rules_node

Node rules for Bazel (unsupported)
Python
52
star
75

hermes

SRE Event and Autotasking system
Python
48
star
76

dropbox-api-v2-explorer

The Official API Explorer for Dropbox's APIs
TypeScript
45
star
77

pynsot

A Python client and CLI utility for the Network Source of Truth (NSoT) REST API.
Python
45
star
78

DropboxBusinessAdminTool

Power User tool to assist Dropbox Business Administrators in managing their Dropbox team
C#
44
star
79

ts-transform-react-constant-elements

A TypeScript AST Transformer that can speed up reconciliation and reduce garbage collection pressure by hoisting React elements to the highest possible scope.
TypeScript
44
star
80

llama-archive

Loss & LAtency MAtrix
Python
43
star
81

ttvc

Measure Visually Complete metrics in real time
TypeScript
42
star
82

DropboxBusinessScripts

Scripting resources to serve as a base for common Dropbox Business tasks
Python
41
star
83

dropbox-ios-dropins-sdk

An iOS library for choosing files in Dropbox.
Objective-C
40
star
84

encfs

EncFS Encrypted Filesystem
C++
38
star
85

dropbox-api-spec

The Official API Spec for Dropbox API V2 SDKs.
Python
37
star
86

onenote-parser

C++
35
star
87

image-search

A hypothetical Dropbox API app that makes it possible to do image searches from Dropbox.
Haskell
34
star
88

dbx-unittest2pytest

Convert unittest asserts to pytest rewritten asserts.
Python
27
star
89

hypershard-ios

โšก the ridiculously fast XCUITest collector.
Swift
26
star
90

dropbox-api-v2-repl

Utilities to test the Dropbox API v2.
Python
26
star
91

hocrux

Handwritten optical character recognition
Python
25
star
92

questions

Simple application for storing interview questions.
Python
24
star
93

dropbox_hook

A tool for testing your Dropbox webhook endpoints.
Python
23
star
94

ruba

fast in-memory analytics datastore in Rust
Rust
21
star
95

libunwind

Pyston's fork of libunwind; originally from git://git.sv.gnu.org/libunwind.git
C
21
star
96

changes-client

A build client for Changes.
Go
19
star
97

libavcodec-hooks

Fork of ffmpeg (git://source.ffmpeg.org/ffmpeg.git). Required to compile avrecode lossless video compression (https://github.com/dropbox/avrecode). Adds hooks into low-level coding functions of libavcodec. License: LGPL.
C
19
star
98

phabricator-changes

Integration between Phabricator and Changes. This repository is no longer maintained.
PHP
18
star
99

Dropline

Tool to monitor how busy an area is using Wi-Fi. Originally intended for Dropbox's Tuck Shop.
Haskell
18
star
100

goprotoc

Go
17
star