Filter your dependencies artifacts by repository
It is a generalised case to include one or several repositories from where we are going to consume a certain dependency for our project.
Most of the time, they are popular repositories where we trust that the dependency we require is the correct one and that the possibility of it being maliciously altered is infinitely small.
But this can happen, can’t it?
On numerous occasions, we have read articles or news where the developer community has been alerted that certain dependencies have been hijacked. So, even if we trust the source, we are not free from this happening.
To improve security, increase performance, you also filter the number of artifact requests to a given repository, and even the privacy of what dependencies your private project contains that you may not want to expose. Gradle exposes an API to help us achieve these three purposes.
Thanks to this API we can include or exclude from a repository by group, module, setting strictly or a range of versions and even using regular expressions.
Order matters
Remains a factor that can often be misleading. Using include or exclude functions will not prevent an artifact from being consumed from another repository. This factor is the order in which repositories are declared.
That is if we have a list of N repositories, and this last repository is the only one that contains any of these instructions, include or exclude, and a certain artifact is found in the first repository it will be downloaded from this one, omitting any configuration of subsequent repositories.
Mark exclusive content
Having a list of different repositories and maintaining their inclusion and exclusion rules can be difficult work for any project.
To solve this, there is a way to declare only the content of a given repository.
In this way, we can achieve the three purposes I mentioned earlier.
Security, by having the assurance that your artefact will be downloaded from the source you trust.
Performance, by not iterating through all declared repositories to find the artefact.
Privacy, by avoiding making unnecessary requests to certain repositories in search of a specific artefact.
We are hiring!
Here, at Telefónica you can count on everything you need to be the best you. We need people like you that want to take this challenge of creating the Telefónica of tomorrow. Join our awesome Android Team! 👾
Source: Gradle Docs
