Arne Stockmans.be

Blog - About - Contact

Gradle Exclusive Repository Content

  March 12, 2020  2 min read  Gradle

One of the new features you'll find in Gradle 6.2 is the Exclusive Repository Content API. It allows you to specify in which repository a dependency can be found. But why would you need this? Well, here are two reasons why you'd use this:

Performance: You probably have more than one repository in your project. For every dependency, all of those repositories will be searched, until the desired artifact is found. Now imagine that one of those repositories has a slow response time, you can already figure out which imact this will have on your build time. Also, why would you call a repository if you already know it won't be there?

Security: Your project is vulnerable to fake and malicious packages (if you're not already using the repository filter API). A good example can be found here. Besides this issue, you'll also be making a call for each dependency. That way, you expose which dependencies your project uses to a third-party. This isn't necessarily a problem, but there can be cases where this is an issue.

So why would you use this over the already existing repository filtering API? Because the repository filtering API only filters which content is available in that specific repository. The requested content isn't exclusive to that repository - it's still possible to download it from a different repository.

For example: Let's say you have a private repository with your private packages. You know for sure that these artifacts are only available on your private repository, and nowhere else. With the new Exclusive Repository Content API, Gradle knows these packages can only be downloaded from your private repository. To get the same result with the already existing repository filter API, you must exclude your packages from every single repository you add. That's not something you want to do.

But how do I use this? Well, here's an example:

repositories {
    google()
    mavenCentral()

    exclusiveContent {
        forRepository {
            maven {
                url "https://mycompany.com/repo"
            }
        }
        filter {
            includeGroupByRegex "com\\.mycompany\\..*"
        }
    }
}

In this example, every dependency with its groupId matching com\\.mycompany\\..* will only be searched on the repository of mycompany. Both Google and MavenCentral won't be searched for these artifacts, despite being declared earlier. Other dependencies aren't impacted.

Learn more

Check out the official docs. For more details on how to create filters, check out the docs of InclusiveRepositoryContentDescriptor.

© 2020 Arne Stockmans, Built with Gatsby