Automated Dependency Updates for Gradle
Categories: java
Renovate supports updating Gradle dependencies.
File Matching¶
By default, Renovate will check any files matching any of the following regular expressions:
/\.gradle(\.kts)?$/
/(^|/)gradle\.properties$/
/(^|/)gradle/.+\.toml$/
/(^|/)buildSrc/.+\.kt$/
/\.versions\.toml$/
/(^|/)versions.props$/
/(^|/)versions.lock$/
For details on how to extend a manager's managerFilePatterns value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: maven.
Default config¶
{
"managerFilePatterns": [
"/\\.gradle(\\.kts)?$/",
"/(^|/)gradle\\.properties$/",
"/(^|/)gradle/.+\\.toml$/",
"/(^|/)buildSrc/.+\\.kt$/",
"/\\.versions\\.toml$/",
"/(^|/)versions.props$/",
"/(^|/)versions.lock$/"
],
"timeout": 600,
"versioning": "gradle"
}
Additional Information¶
The gradle manager uses a custom parser written in JavaScript, similar to many others managers.
It does not call gradle directly in order to extract a list of dependencies.
Executing the Gradle Wrapper¶
Renovate will only execute the Gradle Wrapper (via ./gradlew or gradlew.bat) if the self-hosted administrator configures allowedUnsafeExecutions to include the gradleWrapper option.
This is required due to possibly supply chain security attack vectors that can occur with the Gradle Wrapper being executed.
Updating lockfiles¶
The gradle manager supports gradle lock files in .lockfile artifacts, as well as lock files used by the gradle-consistent-versions plugin.
During lock file maintenance, renovate calls ./gradlew :dependencies --write-locks on the root project and subprojects.
For regular dependency updates, renovate automatically updates lock state entries via the --update-locks command line flag.
As the output of these commands can be very large, any text other than errors (in stderr) is discarded.
Dependency verification¶
If Renovate finds a gradle/verification-metadata.xml file and either <verify-metadata>true</verify-metadata> or <verify-signatures>true</verify-signatures> (or both), it updates the content by using the ./gradlew --write-verification-metadata <hashTypes> dependencies command.
Renovate will check the file for existing hash types (like sha256) and use them as <hashTypes>.
Warning
Gradle allows verification metadata to use the md5 and sha1 algorithms.
Because those algorithms are prone to collision attacks, Renovate ignores them.
If Renovate encounters hashes that are generated with md5 or sha1 algorithms, Renovate uses sha256 instead.
Open items¶
The below list of features were current when this page was generated on January 25, 2026.