Automated Dependency Updates for Gradle
Categories: java
Renovate supports updating Gradle dependencies.
File Matching¶
By default, Renovate will check any files matching any of the following regular expressions:
\.gradle(\.kts)?$
(^|/)gradle\.properties$
(^|/)gradle/.+\.toml$
(^|/)buildSrc/.+\.kt$
\.versions\.toml$
(^|/)versions.props$
(^|/)versions.lock$
For details on how to extend a manager's fileMatch
value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: maven
.
Default config¶
{
"fileMatch": [
"\\.gradle(\\.kts)?$",
"(^|/)gradle\\.properties$",
"(^|/)gradle/.+\\.toml$",
"(^|/)buildSrc/.+\\.kt$",
"\\.versions\\.toml$",
"(^|/)versions.props$",
"(^|/)versions.lock$"
],
"timeout": 600,
"versioning": "gradle"
}
Additional Information¶
The gradle
manager uses a custom parser written in JavaScript, similar to many others managers.
It does not call gradle
directly in order to extract a list of dependencies.
Updating lockfiles¶
The gradle manager supports gradle lock files in .lockfile
artifacts, as well as lock files used by the gradle-consistent-versions plugin.
During lock file maintenance, renovate calls ./gradlew :dependencies --write-locks
on the root project and subprojects.
For regular dependency updates, renovate automatically updates lock state entries via the --update-locks
command line flag.
As the output of these commands can be very large, any text other than errors (in stderr
) is discarded.
Dependency verification¶
If Renovate finds a gradle/verification-metadata.xml
file and either <verify-metadata>true</verify-metadata>
or <verify-signatures>true</verify-signatures>
(or both), it updates the content by using the gradle --write-verification-metadata <hashTypes> dependencies
command.
Renovate will check the file for existing hash types (like sha256
) and use them as <hashTypes>
.
Warning
Gradle allows verification metadata to use the md5
and sha1
algorithms.
Because those algorithms are prone to collision attacks, Renovate ignores them.
If Renovate encounters hashes that are generated with md5
or sha1
algorithms, Renovate uses sha256
instead.
Open items¶
The below list of features and bugs were current when this page was generated on December 21, 2024.
Feature requests¶
- Automatic maven username/password extraction from Gradle files #29938
- Support exclusive repositories #14208
- Support for Gradle composite builds #9410
Bug reports¶
- manager(gradle): no deps detected when 3 dep strings present in the configuration #30234