Update dependencyAnalysis to v3 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.autonomousapps.dependency-analysis	2.1.0 → 3.6.1
com.autonomousapps:dependency-analysis-gradle-plugin	2.1.0 → 3.6.1

---

Release Notes

autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps:dependency-analysis-gradle-plugin)

v3.6.1

• [Fix]: use compilation.disambiguatedName for crafting the task suffix.

v3.6.0

• [Breaking]: min version of Android Gradle Plugin (AGP) is now 8.10.0.
• [Feat]: support KMP projects with JVM targets.
• [Feat]: support KMP projects with Android targets.
• [Feat]: update console report to be more idiomatic for KMP.
• [Feat]: implement ABI inclusions filter.
• [Feat]: add lifecycle resolveExternalDependencies task.
• [Fix]: improve Class.forName handling.
• [Fix]: remove dependency to javax.inject.
• [Fix]: potential resource leak in JarExploder.
• [Fix]: duplicate class detection for annotations.
• [Fix]: use latest-kotlin editor.
• [Refactor]: move two public types to an internal package to exclude from published api, and exclude the
  com.autonomousapps.model.internal package from the published api.
• [Refactor]: moved a lot of task-registration code into AbstractDependencyAnalyzer.
• [Docs]: add link to maven-hijack blog post.

v3.5.1

• [Fix]: don't try to process a non-match as a binary incompatibility.
• [Fix]: use version catalog when applying the build-health plugin.
• [Fix]: bundleTraces is a sortedSet and BundleTrace is Comparable.

v3.5.0

• [Feat]: check binary compatibility between consumer and producer code.
• [Feat]: support the com.google.cloud.tools.jib plugin as an application-type plugin.
• [Fix]: 'reason' works for project dependencies.
• [Fix]: strip empty lines from service loaders.
• [Docs]: clarify compatibilities with other plugins.
• [Docs]: document the existence of dependencyAnalysis.app().

v3.4.1

• [Fix]: find runtime graph for debugAndroidTest sources.

v3.4.0

• [Fix]: InferredCapability merging logic should use 'or', not 'and'.
• [Fix]: Improve IP safety of GlobalDslService.
• [Fix]: for builds with Gradle 9.1.0+, get the buildPath from the Gradle instance.
• [Chore]: update to Gradle 9.1.0 (from 9.0.0).

v3.3.0

• [Feat]: detect reflective access using Class.forName().

v3.2.0

• [Feat]: don't drop transitive runtime dependencies when removing 'unused' dependencies.
  See the PR description for more
  information.
• [Fix]: consider suspend function return types with type parameters.
• [Fix]: consider imports when computing usage of typealiases.
• [Fix]: annotation processors are not blank strings.
• [Fix]: update Kotlin metadata to 2.2.20 for Kotlin 2.3 support.
• [Chore]: always publish build scans on CI. Optionally publish them locally.

To publish build scans, add the following, as indicated:

# ~/.gradle/gradle.properties
dependency.analysis.scans.publish=true

v3.1.0

• [Fix] Updated asm to 9.9 (and use latest asm-relocated) for Java 25 support.
• [Fix]: Test fixtures in a Spring Boot project are allowed to have testFixturesApi dependencies.
• [Test]: run tests against Gradle 9.1.0.

v3.0.4

• [Fix] Remove auto-applied kotlin-stdlib for Gradle 8.11 support.

v3.0.3

• [Fix]: compare versions via VersionNumber, not raw strings.
• [Fix] Forcibly downgrade kotlin-stdlib to 2.0.21 for Gradle 8.11 support.

v3.0.2

• [Fix] Downgrade Kotlin to 2.0.21 for Gradle 8.11 support.
• [Fix]: min AGP version is 8.4.2.
• [Fix]: Remove kotlin-dsl plugin usage.
• [Fix]: correctly react to new/deleted/renamed files in Android projects.
• [Fix]: resource ref problem (#​1525).
• [Chore]: update to AGP 8.13 stable.
• [Chore]: use gradle plugin publishing plugin 2.0.0.

v3.0.1

• [Fix] set apiVersion and languageVersion to 2.0 for Gradle 8.11 support.

v3.0.0

• [Build] now building with Gradle 9.0.0.

• [Breaking] minimum supported version of Gradle is now 8.11.

• [Breaking]: annotations and their parameter classes are always considered compileOnly.

  Annotations for which the class file is not present are treated like being non-existent by the JVM.
  If someone wants to consume an annotation via reflection, they are responsible for providing the class file
  at runtime, so from the annotating project's view, annotations are always compileOnly.
  The same is true for classes and enums used as annotation arguments.
  The only exception is a class literal as argument that is coming from a different artifact than the
  annotation, such as a JUnit 4 runner implementation; those are considered implementation.

• [Feat]: Add type-safe accessor support for fixDependencies task.

• [Feat]: report excluded dependencies as unused.

• [Feat]: add coordinates identifier in the error message for invalid change.

• [Feat]: moving internal.artifacts package to new module, com.autonomousapps:variant-artifacts.

• [Feat]: detect and report all Android resource references in Manifest files.

• [Fix]: detect constants more consistently including from e.g. inner classes.

• [Fix]: Move useTypesafeProjectAccessors to global dsl service.

• [Fix]: reason works on included builds.

• [Fix]: recognize test fixtures not only in Android libraries, but in Android app modules, too.

• [Fix]: use Android flavors more consistently in advice.

• [Chore]: update guava to 33.4.8-jre.

• [Chore]: update AGP to the latest stable version, 8.12.0, and test against 8.13.0-alpha03.

• [Chore]: add API-tracking tasks using metalava. Adopt semantic versioning.

v2.19.0

• [Feat]: support advices for Android test fixtures source sets
• [Feat]: support typesafe project accessors in IssueHandler
• [Fix]: bump kotlin-metadata-jvm to 2.1.21 to support K2.2 projects.
• [Chore]: move publishing to new central.sonatype.com repo.

v2.18.0

• [Breaking]: update min support AGP version to 8.3.
• [Feat]: Allow excluding violations by regex patterns.
• [Feat]: add ProviderConvertible support.
• [Feat]: add support for Activity theme in AndroidManifest.xml
• [Feat]: Android merged manifests are now treated as runtime (not compile-time) requirements.
• [Feat]: detect code source files that live outside of src/main as an AGP feature being used.
• [Fix]: detect class references in the base package.
• [Fix]: detect constants defined in Kotlin companion objects.
• [Fix]: detect androidTest source set as a test source-set.
• [Fix]: set android dependencies weight to 100.
• [Fix]: also check for com.android.test.
• [Chore]: use Gradle 8.14.
• [Chore]: kotlin.metadata.jvm no longer needs to be non-transitive, since bumping to K2 for this project.
• [Chore]: fix snapshot publishing by making task dependency more lazy.
• [Chore]: update badge to point to actual workflow.

v2.17.0

• [Fix]: duplicate class warning doesn't warn about multiple dependencies with same GAV.
• [Fix]: ensure all capabilities are internally sorted; also synthesized dependencies.
• [Fix]: ensure all dependencies are internally sorted.
• [Fix]: ensure output of GraphViewTask is fully sorted (therefore deterministic).
• [Fix]: intermediate android res classes must have meaningful hashCode() functions.
• [Fix]: improve sorting of various build outputs to ensure determinism.

v2.16.0

• [Feat]: support com.android.test projects.
• [Feat]: support typesafe project accessors with opt-in.

dependencyAnalysis {
  useTypesafeProjectAccessors(true) // false by default
}

v2.15.0

• [Feat]: superclass analysis is now opt-in. This is a breaking change since 2.7.0, when that feature was introduced.

dependencyAnalysis {
  usage {
    analysis {
      checkSuperClasses(true) // false by default 
    }
  }
}

v2.14.0

• [Feat]: add temporary flag to test opting-out of superclass analysis.
• [Fix]: @InputFiles is redundant next to @Classpath.

v2.13.3

• [Fix]: check java/main in addition to kotlin/main to find correct artifact folder
• [Fix]: use projectPath, not identityPath, for included build coordinates.

v2.13.2

• [Fix]: detect usages of SAM interfaces.
• [Fix]: binaryClassAccesses uses sorted keys.

v2.13.1

• [Fix]: differentiate between main and other variants when rewriting dependencies with Kotlin DSL.

v2.13.0

• [Feat]: computeResolvedDependencies to also generate a version catalog file
• [Feat]: experimenting with compressing intermediates, starting with exploded-jars.json.
• [Chore]: remove unused moshi functions.

v2.12.0

• [Feat]: detect dependencies that provide dylibs for use on macOS.
• [Test]: incorrect attribution of so files to Android deps.

v2.11.0

• [Feat]: new task (:computeAllDependencies) for producing a version catalog file containing all dependencies.
• [Fix]: kotlin-reflect must be on the compile classpath.
• [Test]: Update AGP 8.9.0 stable.
• [Test]: conditional signing.

v2.10.1

• [Fix]: BuildHealthException extends VerificationException.
• [Fix]: module advice must be 'actionable' to be 'not empty'.

v2.10.0

• [Feat]: new dependencyAnalysis.reporting.printBuildHealth DSL option.
• [Fix]: support colorizing multiline strings.

v2.9.0

• [Feat]: if buildHealth contains only warnings, adjust message to be less severe.
• [Feat]: provide way to opt-out of printing postscript if it only contains warnings.
• [Feat]: improve console output with colors and smarter vertical spacing.
• [Fix]: improve comparability of Declaration.
• [Fix]: dependency model classes are now fully Comparable.
• [Fix]: Source is fully Comparable.
• [Fix]: ExplodingBytecode is fully Comparable.
• [Perf]: improve performance of isForMissingSuperclass (again).
• [Chore]: update to Kotlin 2.0.21.
• [Chore]: test against AGP 8.9 and 8.10

dependencyAnalysis {
  reporting {
    onlyOnFailure(false) // when true, only prints postscript when there are failure-level issues.
    postscript(/* Some text to help out end users who may not be build engineers. */)
  }
}

v2.8.2

• [Fix]: generate supergraph just once per variant (source set).

v2.8.1

• [Fix]: cache SuperClassGraph. No need to recompute for each dependency.
• [Fix]: use less heap by using empty singleton collections.
• [Fix]: trade metaspace for heap by interning strings.

v2.8.0

• [Feat]: support reasoning about multiple pieces of advice.
• [Fix]: compute/printDuplicateDependencies works even when not all projects apply this plugin.
• [Fix]: do not filter out advice to add to testImplementation if there is conflicting advice to downgrade from implementation.
• [Fix]: compileOnly dependencies are not visible to the test compile classpath.
• [Build]: use Gradle 8.12.1
• [Chore]: update to AGP 8.8.0
• [Refactor]: use DependencyHandler.project() instead of Project.project().
• [Test]: only run functionalTest against latest combination of AGP and Gradle.
• [Test]: don't forward stdout on CI.

v2.7.0

• [Feat]: can set severity and filter duplicate class warnings.
• [Feat]: don't recommend removing implementation dependency on necessary superclass.
• [Chore]: use non-deprecated method when available.
• [Chore]: update various dependencies, including antlr.

New DSL option for configuring duplicate class warnings:

// root build.gradle[.kts]
dependencyAnalysis {
  issues {
    all {
      onDuplicateClassWarnings {
        severity(<"fail"|"warn"|"ignore">)
        // Fully-qualified class reference to exclude, slash- or dot-delimited
        exclude("org/jetbrains/annotations/NotNull", "org.jetbrains.annotations.Nullable")
      }
    }
  }
}

v2.6.1

• [Fix]: superClassName can be null (Object has no superclass).

v2.6.0

• [Feat]: improvements relating to generating project graphs.
• [Fix]: use stable kotlin-metadata 2.0.21.
• [Fix]: error message code example
• [Chore]: use graph-support v0.4.
• [Chore]: build with Gradle 8.11.1.
• [Chore]: use com.gradle.develocity plugin exclusively.
• [Chore]: replace deprecated kotlinOptions with compilerOptions.

v2.5.0

• [Feat]: use KotlinEditor to rewrite Gradle Kotlin DSL scripts.
• [Fix]: ProjectAdvice is totally Comparable.
• [Refactor]: make a lot of data models internal that don't need to be public.

v2.4.2

• [Fix]: reason can explain usage of invisible annotations.

v2.4.1

• [Fix]: differentiate visible from invisible annotations.
• [Fix]: enable easier runtime debugging of bytecode analysis.
  Use -Ddependency.analysis.bytecode.logging=true to get extremely verbose logging during bytecode analysis.

v2.4.0

• [Feat]: detect duplicate class files on compile and runtime classpaths, and warn.
• [Fix]: use asm-relocated 9.7.1.0. Support Java 23.

v2.3.0

• [Feat]: enable reason task to get reason for specific gradle capabilities (e.g., test-fixtures).
• [Fix]: don't suggest removing runtime-required annotation libraries.
• [Fix]: only print issue postscript if there's an issue to report.

Example usage of reason:

./gradlew app:reason --id foo --capability test-fixtures

Which will print the "reason" for any advice relating to the test-fixtures variant of the foo library.

v2.2.0

• [Feat]: new ReportingHandler with ability to specify postscript.
• [Feat]: DSL option that opts-in source sets to requiring explicit dependencies.
• [Chore]: build and test against Gradle 8.10.2.
• [Chore]: bump to latest Kotlin 1.9.x patch.
• [Chore]: update to AGP 8.7 stable and 8.8 alpha04

Summary of new DSL options below:

// root build.gradle[.kts] or settings.gradle[.kts]
dependencyAnalysis {
  structure {
    explicitSourceSets(/* vararg of source sets to be treated "explicitly" */)
  }
  reporting {
    postscript(/* Some text to help out end users who may not be build engineers. */)
  }
}

v2.1.4

• [Fix]: @Metadata's d2 array should typically be compileOnly.

v2.1.3

• [Fix]: kotlin modules can have java code.
• [Fix]: classes referenced in runtime-retained annotations are required at runtime.
• [Fix]: reason for dependencies used in annotations is still confusing but less misleading.

v2.1.2

• [Fix]: include project description json at both external and internal coordinates.

v2.1.1

• [Fix]: improve separation of "annotation" vs "not-annotation" in bytecode analysis.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.