Is there a way to figure out what all public repository for Gradle Community #dependency-management

Is there a way to figure out what all public repos...

ritesh singh

05/15/2025, 7:57 AM

Is there a way to figure out what all public repository for dep resolution are added in the project, apart from looking at where a particular dependency is getting pulled from.

ritesh singh

05/15/2025, 7:59 AM

A way to see - if something like

mavenCentral()

is getting added somewhere in the chain, even though the project didn't declare it explicitly.

Vampire

05/15/2025, 8:09 AM

Ah easy way to prevent that is, to declare the repositories centrally in the settings script and switch the mode to fail on project repos. If then some project tries to add one or a bad practice plugin tries to add one, build will fail. Unless of course it is a settings plugin that adds the repository, but I think this is quite unlikely. But other than that, you can just iterate over the repositories to check what is added right now.

➕ 1

ritesh singh

05/15/2025, 8:13 AM

Yea, we have

Copy code

dependencyResolutionManagement {
  @Suppress("UnstableApiUsage")
  repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
  ......
}

which prevents and should theoretically. We point or pull deps from our own artifactory, where the deps are mirrored. Started to notice 429, streaming from public maven for few coordinates.

ritesh singh

05/15/2025, 8:14 AM

Hence, the question - if the fetch from our artifactory fails can gradle build point to public maven or in any other scenario. Nothing stands out from the project itself though.

Vampire

05/15/2025, 8:26 AM

With that setting neither projects nor project plugins can add any repositories without failing the build (unless that is broken which I don't believe). Do you also point the plugin repositories to your artifactory? Which coordinates are affected, is something outstanding for them? Without further investigation, the only thing that comes to mind would be a settings plugin that adds the repository. But just iterate over the repositories or set a breakpoint and check in the debugger.

ritesh singh

05/15/2025, 8:31 AM

Yes for plugins as well.

Copy code

pluginManagement {
  repositories {
    maven(url = "https://...")
  }
}

Yep, looking at iterating it and see if something stands out. > Which coordinates are affected Noticed few pointing at - https://repo.maven.apache.org/maven2/com/github/ajalt/mordant/mordant/3.0.2/mordant-3.0.2.pom which should be fetched from our own proxy.

ritesh singh

05/15/2025, 9:11 AM

I am looking, but was wondering if projects dep-resolution block also need

Copy code

rulesMode.set(RulesMode.FAIL_ON_PROJECT_RULES)

🤔

Vampire

05/15/2025, 9:23 AM

What is

rulesMode

Vampire

05/15/2025, 9:23 AM

Or did you mistype rules for repository

Vampire

05/15/2025, 9:24 AM

If so, then no, that is not even a thing, and would be quite strange anyway, because if you declare in the settings script that projects must not have own repositories and then projects can ignore that, it would be quite useless. 😄

👍 1

ritesh singh

05/15/2025, 9:26 AM

Sorry..

Copy code

dependencyResolutionManagement {
  @Suppress("UnstableApiUsage")
  repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)

  rulesMode.set(RulesMode.FAIL_ON_PROJECT_RULES)
}

Vampire

05/15/2025, 9:37 AM

Ah, forgot about that, but no, I don't thinks so. That setting is about component metadata rules which you can like repositories either declare in the settings script or in the project build scripts but not both. And just like the repositories you can then forbid either or configure which should be preferred. But that should not have anything to do with the repositories.

ritesh singh

05/15/2025, 9:39 AM

Ahh thanks.

👌 1

2 Views

Open in Slack

Previous Next