Dependabot's support for Gradle lockfiles is not working when Gradle's "Version Catalog" is in use

[dmikurube]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Gradle

Package manager version

8.14.2

Language version

Java

Manifest location and content before the Dependabot update

/build.gradle

plugins {
    id "java"
}

repositories {
    mavenCentral()
}

group = "io.github.dmikurube"
version = "0.1.0-SNAPSHOT"

configurations {
    compileClasspath.resolutionStrategy.activateDependencyLocking()
    runtimeClasspath.resolutionStrategy.activateDependencyLocking()
}

java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(21)
    }
}

dependencies {
    implementation libs.slf4j.api
}

/gradle.lockfile

# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
org.slf4j:slf4j-api:2.0.0=compileClasspath,runtimeClasspath
empty=

/gradle/libs.versions.toml

[versions]

slf4j-api = "2.0.0"

[libraries]

slf4j-api = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j-api" }

dependabot.yml content

---
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

The dependency was updated in /gradle/libs.versions.toml, but /gradle.lockfile was not updated.

What you expected to see, versus what you actually saw

As the "Support for Gradle lockfiles" is generally available, I expected to see an update with gradle.lockfile for my Gradle project.

• Support Gradle lockfiles #2222
• https://github.blog/changelog/2025-06-24-dependabot-support-for-gradle-lockfiles-is-now-generally-available/

However, in one of my repository, Dependabot didn't update gradle.lockfile. By making some small example repositories, I've identified that it is not working when Gradle's "Version Catalog" is used in the repository.

Similar issues are discussed in #2222

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

See the examples below to narrow down the issue. The second one (with Gradle's Version Catalog) is failing.

• Bump org.slf4j:slf4j-api from 2.0.0 to 2.0.17 dmikurube/dependabot-simple#1 => SUCCESS
• Bump org.slf4j:slf4j-api from 2.0.0 to 2.0.17 dmikurube/dependabot-catalog#1 => FAIL
• Bump org.slf4j:slf4j-bom from 2.0.8 to 2.0.17 dmikurube/dependabot-bom#1 = SUCCESS

Smallest manifest that reproduces the issue

Shown in "Manifest location and content before the Dependabot update" -- this is the narrowed down case.