397ab49ef3
Co-authored-by: Michael Kriese <michael.kriese@gmx.de> |
||
---|---|---|
.. | ||
__fixtures__ | ||
__snapshots__ | ||
extract | ||
parser | ||
artifacts.spec.ts | ||
artifacts.ts | ||
extract.spec.ts | ||
extract.ts | ||
index.ts | ||
parser.spec.ts | ||
parser.ts | ||
readme.md | ||
types.ts | ||
update.spec.ts | ||
update.ts | ||
utils.spec.ts | ||
utils.ts |
The gradle
manager uses a custom parser written in JavaScript, similar to many others managers.
It does not call gradle
directly in order to extract a list of dependencies.
Updating lockfiles
The gradle manager supports gradle lock files in .lockfile
artifacts, as well as lock files used by the gradle-consistent-versions plugin.
During lock file maintenance, renovate calls ./gradlew :dependencies --write-locks
on the root project and subprojects.
For regular dependency updates, renovate automatically updates lock state entries via the --update-locks
command line flag.
As the output of these commands can be very large, any text other than errors (in stderr
) is discarded.
Dependency verification
If Renovate finds a gradle/verification-metadata.xml
file and either <verify-metadata>true</verify-metadata>
or <verify-signatures>true</verify-signatures>
(or both), it updates the content by using the gradle --write-verification-metadata <hashTypes> dependencies
command.
Renovate will check the file for existing hash types (like sha256
) and use them as <hashTypes>
.
!!! warning
Gradle allows verification metadata to use the md5
and sha1
algorithms.
Because those algorithms are prone to collision attacks, Renovate ignores them.
If Renovate encounters hashes that are generated with md5
or sha1
algorithms, Renovate uses sha256
instead.