How do I replace a dependency of a dependency in gradle?

Question

I'm working with a Java project that is using a library that has a dependency on a library with a security vulnerability. Unfortunately, the updated version of the vulnerable library does not have the same group. Basically, the library org.reallyuseful.library:usefulstuff:1.0 depends on org.vulnerable.dependency:dependency:1.0 , but the vulnerability has been fixed in org.secure.dependency:dependency:1.1 .

In Gradle, how do I tell usefulstuff:1.0 to use org.secure.dependency:dependency:1.1 instead of org.vulnerable.dependency:dependency:1.0 ?

Answer 1

You can explicitly declare a dependency on org.secure.dependency:dependency:1.1 like implementation("org.secure.dependency:dependency:1.1") in your build file. The dependency version you specified will be have precedence over the transitive dependency.

Another option might be to specify an exclude rule to make sure that the dependency is not brought in (see example )

I think the best pattern would we to use the tools provided from the Dependency Management section of the user guide. In this case, you should be able to use the resolutionStrategy API. You can substitute the desired dependency for the originally requested one.

This example configures a resolution rule for every Configuration :

configurations.all {
  resolutionStrategy.eachDependency { DependencyResolveDetails details ->
    if (details.requested.group == "org.vulnerable.dependency"
        && details.requested.name == "dependency"
        && details.requested.version == "1.0") {
      details.useTarget("org.secure.dependency:dependency:1.1")
    }
  }
}

The Gradle user guide also has an example where only the version is changed, and an example which is very similar to the above snippet (and your use case).