Skip to content

gradle: fix wrapper updater crash when only some wrapper files define checksum#14399

Merged
kbukum1 merged 1 commit into
dependabot:mainfrom
pedromfmachado:fix-gradle-wrapper-checksum-crash
Mar 10, 2026
Merged

gradle: fix wrapper updater crash when only some wrapper files define checksum#14399
kbukum1 merged 1 commit into
dependabot:mainfrom
pedromfmachado:fix-gradle-wrapper-checksum-crash

Conversation

@pedromfmachado
Copy link
Copy Markdown
Contributor

@pedromfmachado pedromfmachado commented Mar 9, 2026
edited
Loading

Problem

Dependabot crashes updating gradle-wrapper in repositories with multiple gradle-wrapper.properties files when only some files include distributionSha256Sum.

Error:

  • Error processing gradle-wrapper (TypeError)
  • T.let: Expected type String, got type NilClass

Root cause

WrapperUpdater#command_args used a global guard:

  • dependency.requirements.size > 1

but indexed into the local per-file slice:

  • requirements[1]

In mixed multi-wrapper scenarios, a local file can have only one requirement (distributionUrl), so requirements[1] is nil and Sorbet raises.

Fix

Use a local guard and nullable type for checksum extraction:

  • checksum = T.let(requirements[1]&.[](:requirement), T.nilable(String)) if requirements.size > 1

This keeps behavior for single-wrapper repositories unchanged and prevents the crash for mixed multi-wrapper repositories.

Test coverage

Added a focused regression spec:

  • gradle/spec/dependabot/gradle/file_updater/wrapper_updater_spec.rb

Scenario covered:

  • dependency has merged requirements for two wrapper files
  • current file has only distributionUrl
  • another file has distributionUrl + distributionSha256Sum

Assertion:

  • no checksum argument is added for the file without checksum and no crash occurs.

Testing

bin/test gradle spec/dependabot/gradle/file_updater/wrapper_updater_spec.rb spec/dependabot/gradle/file_updater_spec.rb --example wrapper

Result:

  • 5 examples, 0 failures

@pedromfmachado pedromfmachado requested a review from a team as a code owner March 9, 2026 17:39
@github-actions github-actions Bot added the L: java:gradle Maven packages via Gradle label Mar 9, 2026
@kbukum1 kbukum1 self-assigned this Mar 9, 2026
kbukum1
kbukum1 approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kbukum1 kbukum1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This was referenced Mar 9, 2026
Closed
Closed
@pedromfmachado @codex @kbukum1
Fix gradle wrapper guard
ecaec57 
Co-authored-by: Codex <noreply@openai.com>
@kbukum1 kbukum1 force-pushed the fix-gradle-wrapper-checksum-crash branch from 17fe271 to ecaec57 Compare March 10, 2026 19:11
@kbukum1 kbukum1 merged commit 5d96f6a into dependabot:main Mar 10, 2026
66 of 67 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kbukum1 kbukum1 kbukum1 approved these changes

Assignees

@kbukum1 kbukum1

Labels

L: java:gradle Maven packages via Gradle

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pedromfmachado @kbukum1