How do I replace/override a dependency of a sbt plugin with a completely different artifact?

Question

In my project/plugins.sbt file, I add a plugin that pulls in a dependency that has a vulnerability. The fix is another artifact that has a completely different group ID. How do I replace the first dependency with the fix?

So if, in plugins.sbt, I have something like

addSbtPlugin("com.fake.something", "myplugin", "0.1.2")

and that plugin pulls in dependency org.some.framework:framework-core:1.2.3 I want to replace that dependency with another with a completely different group ID: com.fixed.framework:framework-core:4.5.5

Is there a way to configure plugins.sbt (or build.sbt) so that org.some.framework:framework-core:1.2.3 is replaced with com.fixed.framework:framework-core:4.5.6 upon build? (I've already looked at using a newer version of the plugin - unfortunately the newer versions have the same vulnerability)

Thank you for reading my question?

Answer 1

1st option could be:

1. fork the sbt plugin
2. replace the library with the vulnerability with the one that has the fix
3. build and publish the plugin (could be locally o to an artifactory)

---

2nd option:

Create a PR in the plugin repo with the fix detailing why you are doing that

---

3rd option (not sure if this one works because I haven't tried it)

addSbtPlugin(
  ("com.fake.something" % "myplugin" % "0.1.2")
    .exclude("org.some.framework", "framework-core")
)

libraryDependencies += {
  val sbtV = (pluginCrossBuild / sbtBinaryVersion).value
  val scalaV = (update / scalaBinaryVersion).value
  sbtPluginExtra("com.fixed.framework" % "framework-core" % "4.5.5", sbtV, scalaV)
}

Details about how I get to last option

If you look at the three implementations of addSbtPlugin, the method returns a Setting[Seq[ModuleID]]

/**
 * Adds `dependency` as an sbt plugin for the specific sbt version `sbtVersion` and Scala version `scalaVersion`.
 * Typically, use the default values for these versions instead of specifying them explicitly.
 */
def addSbtPlugin(
    dependency: ModuleID,
    sbtVersion: String,
    scalaVersion: String
): Setting[Seq[ModuleID]] =
  libraryDependencies += sbtPluginExtra(dependency, sbtVersion, scalaVersion)

/**
 * Adds `dependency` as an sbt plugin for the specific sbt version `sbtVersion`.
 * Typically, use the default value for this version instead of specifying it explicitly.
 */
def addSbtPlugin(dependency: ModuleID, sbtVersion: String): Setting[Seq[ModuleID]] =
  libraryDependencies += {
    val scalaV = (update / scalaBinaryVersion).value
    sbtPluginExtra(dependency, sbtVersion, scalaV)
  }

/**
 * Adds `dependency` as an sbt plugin for the sbt and Scala versions configured by
 * `sbtBinaryVersion` and `scalaBinaryVersion` scoped to `update`.
 */
def addSbtPlugin(dependency: ModuleID): Setting[Seq[ModuleID]] =
  libraryDependencies += {
    val sbtV = (pluginCrossBuild / sbtBinaryVersion).value
    val scalaV = (update / scalaBinaryVersion).value
    sbtPluginExtra(dependency, sbtV, scalaV)
  }

all of them, call sbtPluginExtra

def sbtPluginExtra(m: ModuleID, sbtV: String, scalaV: String): ModuleID =
  partialVersion(sbtV) match {
    case Some((0, _)) | Some((1, _)) =>
      m.extra(
          PomExtraDependencyAttributes.SbtVersionKey -> sbtV,
          PomExtraDependencyAttributes.ScalaVersionKey -> scalaV
        )
        .withCrossVersion(Disabled())
    case Some(_) =>
      // this produces a normal suffix like _sjs1_2.13
      val prefix = s"sbt${binarySbtVersion(sbtV)}_"
      m.cross(CrossVersion.binaryWith(prefix, ""))
    case None =>
      sys.error(s"unknown sbt version $sbtV")
  }

sbtPluginExtra returns a ModuleID wich has the method exclude(org, name)

/** Excludes the dependency with organization `org` and `name` from being introduced by this dependency during resolution. */
def exclude(org: String, name: String): ModuleID =
  excludeAll(ExclusionRule().withOrganization(org).withName(name))

Based on the code shared at the beginning I exclude the org and name you said and then manually added the dependency you want to add with the sbt and scala version you are using