The Gradle team is excited to announce Gradle 6.2.2.
This release adds built-in dependency checksum and signature verification, provides a shareable read-only dependency cache and emits helpful documentation links when you have deprecations in your build.
As always, there are several bug fixes, improvements for plugin authors and more.
We would like to thank the following community contributors to this release of Gradle:
Stefan Neuhaus, EthanLozano, Pavlos-Petros Tournaris, Márton Braun, Thomas Iguchi, Vladimir Sitnikov, Peter Stöckli, Sebastian Schuberth, Frieder Bluemle, ColtonIdle, and Roberto Perez Alcolea.
Switch your build to use Gradle 6.2.2 by updating your wrapper:
./gradlew wrapper --gradle-version=6.2.2
See the Gradle 6.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading to Gradle 6.2.2.
NOTE: Gradle 6.2 has had two patch releases, which fixed several issues from the original release. We recommend always using the latest patch release.
For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.
Typical projects use a large number of external dependencies which put them at risk of using untrusted code. What if you accidentally introduced malicious code via a transitive dependency? Similarly, what if your build script itself is vulnerable to malicious code execution via a compromised plugin?
In an effort to mitigate these risks, Gradle 6.2 ships with dependency verification. Dependency verification is a major step towards a safer ecosystem by making it possible to verify both the checksums and the signatures of dependencies and plugins used during a build.
By enabling dependency verification, Gradle will:
and therefore reduce the risks of shipping malicious code to production.
With dependency verification, you maintain an XML file with checksums and optionally also signatures of all external artifacts used in your project, which includes, but is not limited to, all jars (binaries, sources, ...) and plugins. Gradle will immediately fail the build if an artifact is not trusted or missing from the configuration file.
Please refer to the user manual for a complete explanation about how to set up dependency verification.
We would like to give special thanks to Vladimir Sitnikov for his feedback and inspiration. A lot of the work on this feature is, in particular, available to previous versions of Gradle via his Checksum Dependency Plugin.
Improving on relocatable dependency caches introduced in the previous release, Gradle 6.2 now offers the ability to share a dependency cache between multiple Gradle instances.
In the context of ephemeral builds on disposable containers, this makes it possible to have a single shared directory that contains the dependencies required by all builds.
Please refer to the user manual to learn how to set up the shared dependency cache.
Gradle lets you declare which repositories should be searched for specific dependencies. This can speed up builds by reducing the number of repositories that need to be searched and increases security by not leaking details about your internal projects.
As an example:
repositories {
mavenCentral()
myRepo {
url "https://my-company.com/repo"
content {
includeGroup "com.mycompany"
}
}
If Gradle needs to resolve the dependency com.mycompany:awesome-lib:1.0
, it will first search in the repository Maven Central and then in your company repository. This is unnecessary if com.mycompany
dependencies will never be found in Maven Central.
Gradle 6.2 provides an exclusive content API, which lets you convieniently declare that a dependency can be found in one repository and it shouldn't be searched for in any other.
repositories {
jcenter()
exclusiveContent {
forRepository {
myRepo {
url "https://my-company.com/repo"
}
}
filter {
includeGroup "com.mycompany"
}
}
}
In this example, when Gradle needs to resolve the dependency com.mycompany:awesome-lib:1.0
, it will only search in your company repository. This avoids the unnecessary dependency lookup with Maven Central.
Please refer to the user manual for details.
Deprecation messages now include links to relevant documentation that can provide more context around the deprecation and explain how to migrate to a new API or avoid the deprecated behavior.
For example:
The compile configuration has been deprecated for dependency declaration. This will fail with an error in Gradle 7.0. Please use the implementation configuration instead. Consult the upgrading guide for further information: https://docs.gradle.org/6.2/userguide/upgrading_version_5.html#dependencies
In some terminals, this link will be clickable and take you directly to the documentation.
The Gradle Wrapper is a binary blob of executable code that is checked into millions of GitHub repositories. There are security implications when accepting changes to gradle-wrapper.jar
that may not be apparent.
We have created an official GitHub Action that allows projects on GitHub to automatically verify that the gradle-wrapper.jar
in their repository was released by Gradle.
You can still manually verify the gradle-wrapper.jar
by following the instructions in the user manual.
Our ExecOperations
and FileSystemOperations
injectable services are now available to Settings plugins.
Promoted features are features that were incubating in previous versions of Gradle but are now supported and subject to backward compatibility. See the User Manual section on the “Feature Lifecycle” for more information.
The following are the features that have been promoted in this Gradle release.
Known issues are problems that were discovered post release that are directly related to changes made in this release.
We love getting contributions from the Gradle community. For information on contributing, please see gradle.org/contribute.
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines. If you're not sure you're encountering a bug, please use the forum.
We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.