---
title: Gradle依赖锁定与校验和治理(version lock-校验)最佳实践
keywords:
- Gradle
- 依赖锁定
- 校验和
- 版本对齐
- 白名单
description: 通过依赖锁定与校验和校验、仓库白名单与版本对齐,治理Gradle依赖的完整性与一致性。
categories:
- 文章资讯
- 编程技术
---
实现示例
type GDep = { group: string; name: string; version: string; sha256?: string; repo: string }
const allowRepos = new Set<string>(['https://repo1.maven.org','https://maven.example.com'])
function hex64(h?: string): boolean { return !!h && /^[A-Fa-f0-9]{64}$/.test(h) }
function validRepo(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowRepos.has(x.origin) } catch { return false } }
function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }
function evaluate(list: GDep[]): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const d of list) {
if (!d.group || !d.name || !semverLike(d.version)) errors.push(`id:${d.group}:${d.name}`)
if (!validRepo(d.repo)) errors.push(`repo:${d.group}:${d.name}`)
if (d.sha256 && !hex64(d.sha256)) errors.push(`hash:${d.group}:${d.name}`)
}
return { ok: errors.length === 0, errors }
}
审计与CI门禁
- 审计仓库与版本、校验和;异常阻断并输出修复建议。
- 锁定文件与版本对齐需审批与归档。
发表评论 取消回复