Skip to content

Bump gradle-wrapper from 8.7 to 9.6.1#45

Open
dependabot[bot] wants to merge 4 commits into
masterfrom
dependabot/gradle/gradle-wrapper-9.6.1
Open

Bump gradle-wrapper from 8.7 to 9.6.1#45
dependabot[bot] wants to merge 4 commits into
masterfrom
dependabot/gradle/gradle-wrapper-9.6.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps gradle-wrapper from 8.7 to 9.6.1.

Release notes

Sourced from gradle-wrapper's releases.

9.6.1

The Gradle team is excited to announce Gradle 9.6.1.

Here are the highlights of this release:

  • Improved Configuration Cache hit rates
  • Additional CLI rendering options
  • Important project hierarchy lookup deprecations

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle: Aharnish Solanki, Benedikt Johannes, Devendra Reddy Pennabadi, Dmytro Rodionov, Dreeam, Elías Hernández Rodríguez, Eng Zer Jun, FinlayRJW, Kamal Kansal, Marcono1234, Nelson Osacky, Philip Wedemann, Ravi, Roberto Perez Alcolea, Ryan Schmitt, Sebastian Schuberth, seunghun.ham, sk-reddy17, Suvrat Acharya, Vedant Madane.

Upgrade instructions

Switch your build to use Gradle 9.6.1 by updating your wrapper:

./gradlew :wrapper --gradle-version=9.6.1 && ./gradlew :wrapper

See the Gradle 9.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.

9.6.0

... (truncated)

Commits
  • 309d128 Update fixed issues in release notes for 9.6.1 (#38328)
  • 040a978 Update fixed issues in release notes for 9.6.1
  • e0b8325 Restore --non-interactive flag instead of --interactive/--no-interactive (#38...
  • 946f3e6 Limit explicit temp file permission setting to intended use case (#38300)
  • 65f8224 Restore --non-interactive flag instead of --interactive/--no-interactive
  • e346a5e Adjust CLI flag to configure non-interactive console (#38301)
  • 9b53be9 Adjust CLI flag to configure non-interactive console
  • 0dd3b53 Limit explicit temp file permission setting to intended use case
  • 48e5ac2 Add reproducers
  • 25598fd Prepare 9.6.1 patch release (#38293)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [gradle-wrapper](https://github.com/gradle/gradle) from 8.7 to 9.6.1.
- [Release notes](https://github.com/gradle/gradle/releases)
- [Commits](gradle/gradle@v8.7.0...v9.6.1)

---
updated-dependencies:
- dependency-name: gradle-wrapper
  dependency-version: 9.6.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 7, 2026
claude added 2 commits July 7, 2026 15:58
Gradle 9 requires JVM 17+ to launch, and drops the deprecated public
org.gradle.util.ConfigureUtil class that io.github.gradle-nexus.publish-plugin
1.1.0 calls unconditionally when configuring nexusPublishing — both would
break every ./gradlew invocation once the wrapper points at 9.6.1.

- Bump io.github.gradle-nexus.publish-plugin 1.1.0 -> 2.0.0, which
  version-gates its use of ConfigureUtil and works fine on Gradle 9.
  Regenerate buildscript-gradle.lockfile to match (dependency locking is
  enabled, so the old locked version would otherwise fail resolution).
- sdk.yml: keep testing against JDK 8/11/16/17/21 via a Gradle Java
  toolchain instead of using the matrix JDK to launch Gradle directly, by
  adding a second setup-java step that installs JDK 21 to run Gradle while
  the matrix JDK stays discoverable through its JAVA_HOME_<version>_X64
  env var for toolchain auto-detection.
- lib/build.gradle: opt-in toolchain, only activated via -PtestJavaVersion
  (passed from CI), so local/default builds are unaffected.
- gradle.properties: org.gradle.java.installations.fromEnv so Gradle's
  toolchain resolver can see the installations set up above.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01K3cSMrYuhNu8ENnbK1XpuH
Gradle 9 no longer implicitly resolves a JUnit Platform Launcher onto the
test runtime classpath; it must be declared explicitly or `test` fails
with "Failed to load JUnit Platform... including the JUnit Platform
launcher." Confirmed live on this PR's own CI run under real Gradle 9.6.1
after the previous fix commit unblocked build configuration.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01K3cSMrYuhNu8ENnbK1XpuH
@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedmaven/​org.junit.platform/​junit-platform-launcher@​1.7.2581009010070

View full report

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: maven org.junit.platform:junit-platform-launcher under EPL-2.0

License: EPL-2.0 - The applicable license policy does not permit this license (5) (META-INF/LICENSE.md)

From: lib/gradle.lockfilemaven/org.junit.platform/junit-platform-launcher@1.7.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore maven/org.junit.platform/junit-platform-launcher@1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copy link
Copy Markdown

Review: Gradle wrapper 8.7 → 9.6.1

Verdict: safe to merge, with two fixes pushed to this branch that were required to make the bump actually work (Gradle 9 breaks this repo's build without them — see below). All 5 sdk CI matrix legs (JDK 8, 11, 16, 17, 21) are now green on this branch under the real Gradle 9.6.1 distribution.

What was changed beyond the dependabot diff

  1. io.github.gradle-nexus.publish-plugin bumped 1.1.0 → 2.0.0 (root build.gradle, plus regenerated buildscript-gradle.lockfile). Plugin 1.1.0 unconditionally calls the public org.gradle.util.ConfigureUtil API, which Gradle 9 removes — this crashed configuration of the root project on every single ./gradlew invocation, not just publish tasks, since the nexusPublishing {} block is evaluated whenever the root project is configured. 2.0.0 version-gates this call (verified by decompiling both jars) and works fine on Gradle 9. DSL usage (nexusUrl, snapshotRepositoryUrl, username, password) is unchanged between versions.
  2. sdk.yml CI matrix decoupled from the Gradle launcher JVM. Gradle 9 requires JVM 17+ to run at all, but the matrix tests JDK 8/11/16 too (this SDK targets Java 8 bytecode). Added a second setup-java step to install JDK 21 to launch Gradle, while the matrix JDK stays discoverable via its JAVA_HOME_<version>_X64 env var for Gradle's toolchain auto-detection (lib/build.gradle gained an opt-in java.toolchain block, activated only via -PtestJavaVersion, so local/default builds are unaffected). Added gradle.properties with org.gradle.java.installations.fromEnv to make that discovery work.
  3. Added explicit testRuntimeOnly 'org.junit.platform:junit-platform-launcher' (lib/build.gradle + lib/gradle.lockfile). Gradle 9 no longer implicitly resolves a JUnit Platform launcher onto the test runtime classpath, so :lib:test failed outright without it. Version aligns automatically via the existing org.junit:junit-bom:5.7.2 constraint.

Security check

The wrapper diff (gradlew, gradlew.bat, gradle-wrapper.properties, gradle-wrapper.jar) matches Gradle's own upstream wrapper regeneration exactly — consistent with a legitimate gradle wrapper --gradle-version=9.6.1, not a tampered wrapper. Nothing suspicious found.

Verification

  • Read through this repo's actual Gradle usage (root build.gradle, lib/build.gradle, settings.gradle, all three CI workflows) rather than guessing.
  • Checked the Gradle 8→9 upgrade guide and JVM compatibility docs for breaking changes relevant to what this repo actually uses.
  • Confirmed the ConfigureUtil and JUnit-launcher issues empirically by running the build (system Gradle 8.14.3 locally to catch the deprecation ahead of time, then the real fix validated live via this PR's own sdk GitHub Actions run under actual Gradle 9.6.1 — my sandbox can't download Gradle distributions directly due to an egress restriction on GitHub release assets, so I used the PR's own CI as the ground truth for the final check).
  • Local test run (JDK 21, no secrets) matches baseline: 121 tests, 15 pre-existing e2e failures requiring live API credentials not available outside CI — unrelated to this change, unaffected by it.

No other risks identified. io.github.gradle-nexus.publish-plugin 2.0.0 vs 1.1.0 is the only dependency version change beyond the wrapper itself, and it's a well-scoped, necessary bump for the reason above.


Generated by Claude Code

No content change on checkout (still CRLF per the existing eol=crlf
attribute) — only the internal blob normalization, which was previously
inconsistent with git's own clean filter and caused the file to show as
perpetually modified in any fresh checkout.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01K3cSMrYuhNu8ENnbK1XpuH
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Development

Successfully merging this pull request may close these issues.

2 participants