Java teams using Gradle no longer have to wait. Root Library Catalog now supports Gradle-managed codebases, expanding full Java coverage alongside our existing Maven support. With the new Root Gradle Plugin, vulnerable dependencies get patched at build time, automatically, with zero changes to your dependency declarations.

The Problem: Gradle Projects Were Left Out

Root Library Catalog has supported Java through Maven since launch, giving teams the ability to resolve patched dependencies through pkg.root.io/maven/ with a simple settings.xml configuration. But Java's build ecosystem is split. Gradle powers a significant share of Java and Kotlin projects, from Android apps to enterprise microservices. Until now, those teams had to manage vulnerability remediation outside of their build flow.

That changes today.

What the Plugin Does

The Root Gradle Plugin integrates directly into Gradle's dependency resolution pipeline. Once installed, it:

1. Intercepts dependency resolution for every resolvable configuration in your project

2. Queries the Root API to check whether a patched version of each dependency exists

3. Substitutes vulnerable coordinates with patched ones using Gradle's ResolutionStrategy.eachDependency mechanism

4. Registers the Root Maven registry (https://pkg.root.io/maven) as a repository so patched artifacts resolve automatically

The key detail: there's no need to work with the Root CLI. The plugin covers all the heavy lifting the CLI would normally handle - API queries, version substitution, registry configuration - all within the Gradle build lifecycle.

How to Get Started

Add the plugin to settings.gradle.kts, apply io.root.patcher in your build file, set your ROOTIO_API_KEY, and run ./gradlew build.

The plugin handles the rest: it queries Root's API for patched versions of your declared dependencies, substitutes vulnerable coordinates automatically via Gradle's ResolutionStrategy, and registers the Root Maven registry so patched artifacts resolve without any manual configuration. No CLI required.

For multi-module projects, apply the plugin once at the root level with apply false and propagate via subprojects. Full setup details at docs.root.io/rlc/java#gradle.

Built-in Caching and Resilience

The plugin caches API responses locally at .gradle/rootio-cache/ with a configurable TTL (default: 24 hours), so your builds aren't slowed by repeated network calls. Exponential backoff with configurable retries handles transient API failures. For air-gapped or test environments, you can publish the plugin to a local Maven repository instead.

Why This Matters

Java's dependency tree runs deep. A single Spring Boot application can pull in hundreds of transitive dependencies, many of which carry known vulnerabilities that upstream maintainers are slow to patch. Traditional remediation means upgrading library versions, which means testing for breaking changes, resolving conflicts, and coordinating across teams.

Root takes a different approach. Instead of forcing version upgrades, Root backports the smallest safe fix to the version you already use. No migration. No dependency hell. Your build.gradle.kts stays the same; the vulnerabilities don't.

Root Library Catalog now covers the two dominant Java build systems (Maven and Gradle) alongside Python (pip, uv, Poetry) and JavaScript (npm, pnpm, yarn). Whatever your stack, the workflow is the same: point your build tool at Root, and ship patched code.

Get started

Try it on your stack → Start free at app.root.io

Want it walked through → Book a demo

Docs and code

• Gradle Plugin on GitHub

• Gradle docs

• Full integration guide