Skip to content

update gradle version in script plugin template #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ltamaster wants to merge 1 commit into from
Closed

update gradle version in script plugin template #19

ltamaster wants to merge 1 commit into from

Conversation

@ltamaster
Copy link
Contributor

@ltamaster ltamaster commented Jul 24, 2023

No description provided.

@ltamaster ltamaster requested a review from chrismcg14 July 24, 2023 18:45
@fdevans fdevans closed this Feb 3, 2026
fdevans added a commit that referenced this pull request Feb 3, 2026
@fdevans @cursoragent
Keep using master branch for build-zip (reject PR #19)
a6b5ee2 
PR #19 tried to pin to gradle-5.6 branch, but analysis shows:
- gradle-5.6 branch: Last updated April 2021 (unmaintained)
- master branch: Last updated October 2025 (actively maintained)

Master branch has modern features:
- Reproducible builds for security
- Modern Gradle syntax
- Active maintenance

Decision: Keep master with security warning comments (already added)
This supersedes PR #19 which should be closed as outdated.

Co-authored-by: Cursor <cursoragent@cursor.com>
@fdevans
Copy link
Contributor

fdevans commented Feb 3, 2026

Thanks for this PR! However, after analysis, we're going to keep using the master branch instead of gradle-5.6.

Reason: The gradle-5.6 branch is outdated:

  • Last updated: April 2021 (almost 4 years ago)
  • Uses older Gradle syntax

The master branch is actively maintained:

  • Last updated: October 2025 (4 months ago)
  • Includes modern security features (reproducible builds)
  • Uses updated Gradle syntax

Our approach: We've addressed the supply chain security concern by adding warning comments to all script plugin templates that load remote Gradle scripts. This makes developers aware of the risk while keeping the benefits of the actively maintained master branch.

This PR is now superseded by PR #22 (release 1.2.0). Recommend closing this PR as outdated.

See commit: a6b5ee2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chrismcg14 chrismcg14 chrismcg14 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ltamaster @fdevans @chrismcg14