The dependency lock provider retrieves recommendations from Nebula dependency lock files. Often these files are committed to source control for the sake of build repeatability. Publishing them directly to an artifact repository or some other file-based location allows them to be used as a recommendation source in other projects.

As noted in the file-based providers documentation, dependency lock providers can be loaded from local files, URIs, URLs, dependency artifacts, and the plain InputStream.

apply plugin: 'java'
apply plugin: 'nebula-dependency-recommender'
dependencyRecommendations {
   // the @lock ext is added by the provider if omitted
   dependencyLock module: 'sample:dependencies:1.0'
}

Here is an example lock file:

{
   "commons-logging:commons-logging": { "locked": "1.1.1", "requested": "1.1.+" },
   "commons-configuration:commons-configuration": { "locked": "1.1.2" }
}