The CommonsBlog

24 December 2025 Artifact Wave

We have a stable Media3 1.9.0 release as the headliner of this week’s updates:

  • androidx.gradle:gradle-version-catalog:2025.12.01
  • androidx.gradle:gradle-version-catalog-alpha:2025.12.01
  • androidx.gradle:gradle-version-catalog-beta:2025.12.01
  • androidx.media3:media3-cast:1.9.0
  • androidx.media3:media3-common:1.9.0
  • androidx.media3:media3-common-ktx:1.9.0
  • androidx.media3:media3-container:1.9.0
  • androidx.media3:media3-database:1.9.0
  • androidx.media3:media3-datasource:1.9.0
  • androidx.media3:media3-datasource-cronet:1.9.0
  • androidx.media3:media3-datasource-okhttp:1.9.0
  • androidx.media3:media3-datasource-rtmp:1.9.0
  • androidx.media3:media3-decoder:1.9.0
  • androidx.media3:media3-effect:1.9.0
  • androidx.media3:media3-exoplayer:1.9.0
  • androidx.media3:media3-exoplayer-dash:1.9.0
  • androidx.media3:media3-exoplayer-hls:1.9.0
  • androidx.media3:media3-exoplayer-ima:1.9.0
  • androidx.media3:media3-exoplayer-midi:1.9.0
  • androidx.media3:media3-exoplayer-rtsp:1.9.0
  • androidx.media3:media3-exoplayer-smoothstreaming:1.9.0
  • androidx.media3:media3-exoplayer-workmanager:1.9.0
  • androidx.media3:media3-extractor:1.9.0
  • androidx.media3:media3-inspector:1.9.0
  • androidx.media3:media3-muxer:1.9.0
  • androidx.media3:media3-session:1.9.0
  • androidx.media3:media3-test-utils:1.9.0
  • androidx.media3:media3-test-utils-robolectric:1.9.0
  • androidx.media3:media3-transformer:1.9.0
  • androidx.media3:media3-ui:1.9.0
  • androidx.media3:media3-ui-compose:1.9.0
  • androidx.media3:media3-ui-compose-material3:1.9.0
  • androidx.media3:media3-ui-leanback:1.9.0

Dec 24, 2025

17 December 2025 Artifact Wave

We got one new artifact group, androidx.compose.remote, for RemoteCompose, with several artifacts:

  • androidx.compose.remote:remote-core:1.0.0-alpha01
  • androidx.compose.remote:remote-creation:1.0.0-alpha01
  • androidx.compose.remote:remote-creation-android:1.0.0-alpha01
  • androidx.compose.remote:remote-creation-compose:1.0.0-alpha01
  • androidx.compose.remote:remote-creation-core:1.0.0-alpha01
  • androidx.compose.remote:remote-creation-jvm:1.0.0-alpha01
  • androidx.compose.remote:remote-player-compose:1.0.0-alpha01
  • androidx.compose.remote:remote-player-core:1.0.0-alpha01
  • androidx.compose.remote:remote-player-view:1.0.0-alpha01

Compose developers also got androidx.biometric:biometric-compose (presumably a Compose-native biometrics wrapper) and androidx.wear.compose:compose-navigation3 (presumably for using Nav3 on watches).

You can find the rest of the 500+ updated artifacts here!

Dec 17, 2025

Compose GitHub Repositories as Malware Vectors

As part of my work each week preparing the JetC newsletter, I review all of the GitHub repositories that have been updated in the past week and are tagged with jetpack-compose or compose-multiplatform. Not only does this give me material for the newsletter, but it gives me unusual insight into what is being published pertaining to Compose.

In the past month or so, I have noticed repositories that purport to be Compose libraries, but in reality are distributing malware. I have reported a total of five repositories to GitHub and am keeping an eye on others that match the pattern but do not yet have obvious malware.

The pattern is:

  • The repositories share a name and most of the content from existing repositories, but usually replace the home page with a generic one. They are not true GitHub forks, or at least do not show up as such in the GitHub UI, but the repositories share commits with their originating repositories. This helps the attacker appear to be legitimate, as GitHub happily reports the originating author as being a contributor on the attacker’s project.

  • The malware is in the form of a ZIP archive containing a Lua interpreter, an obfuscated Lua script, and a Windows command file to launch the interpreter and run the script.

  • That malware usually is distributed in the Releases area and often is linked to from the modified repository home page.

GitHub has taken down the original two repositories that I reported. The other three I reported yesterday, so hopefully I will get responses from GitHub in a few days.

If you develop using Compose libraries, try to make sure that you are using legitimate projects, not malware-laden clones. If you publish Compose libraries… I do not know if GitHub gives you a way to see what repositories contain your commits, but if it does, you might want to keep an eye on that list and confirm that they are real forks and not vectors for malware.

And, if you are GitHub… it is well past time for you to be implementing malware detection on uploaded ZIP archives. Relying on random balding guys to report malware to you reflects poorly on GitHub and Microsoft.

Dec 14, 2025

10 December 2025 Artifact Wave

Camera and Media3 received updates:

  • androidx.camera:camera-camera2:1.5.2
  • androidx.camera:camera-compose:1.5.2
  • androidx.camera:camera-core:1.5.2
  • androidx.camera:camera-effects:1.5.2
  • androidx.camera:camera-extensions:1.5.2
  • androidx.camera:camera-lifecycle:1.5.2
  • androidx.camera:camera-mlkit-vision:1.5.2
  • androidx.camera:camera-video:1.5.2
  • androidx.camera:camera-view:1.5.2
  • androidx.camera.featurecombinationquery:featurecombinationquery:1.5.2
  • androidx.camera.featurecombinationquery:featurecombinationquery-play-services:1.5.2
  • androidx.camera.viewfinder:viewfinder-compose:1.5.2
  • androidx.camera.viewfinder:viewfinder-core:1.5.2
  • androidx.camera.viewfinder:viewfinder-view:1.5.2
  • androidx.core:core-backported-fixes:1.0.0-rc02
  • androidx.gradle:gradle-version-catalog:2025.12.00
  • androidx.gradle:gradle-version-catalog-alpha:2025.12.00
  • androidx.gradle:gradle-version-catalog-beta:2025.12.00
  • androidx.media3:media3-cast:1.9.0-rc01
  • androidx.media3:media3-common:1.9.0-rc01
  • androidx.media3:media3-common-ktx:1.9.0-rc01
  • androidx.media3:media3-container:1.9.0-rc01
  • androidx.media3:media3-database:1.9.0-rc01
  • androidx.media3:media3-datasource:1.9.0-rc01
  • androidx.media3:media3-datasource-cronet:1.9.0-rc01
  • androidx.media3:media3-datasource-okhttp:1.9.0-rc01
  • androidx.media3:media3-datasource-rtmp:1.9.0-rc01
  • androidx.media3:media3-decoder:1.9.0-rc01
  • androidx.media3:media3-effect:1.9.0-rc01
  • androidx.media3:media3-exoplayer:1.9.0-rc01
  • androidx.media3:media3-exoplayer-dash:1.9.0-rc01
  • androidx.media3:media3-exoplayer-hls:1.9.0-rc01
  • androidx.media3:media3-exoplayer-ima:1.9.0-rc01
  • androidx.media3:media3-exoplayer-midi:1.9.0-rc01
  • androidx.media3:media3-exoplayer-rtsp:1.9.0-rc01
  • androidx.media3:media3-exoplayer-smoothstreaming:1.9.0-rc01
  • androidx.media3:media3-exoplayer-workmanager:1.9.0-rc01
  • androidx.media3:media3-extractor:1.9.0-rc01
  • androidx.media3:media3-inspector:1.9.0-rc01
  • androidx.media3:media3-muxer:1.9.0-rc01
  • androidx.media3:media3-session:1.9.0-rc01
  • androidx.media3:media3-test-utils:1.9.0-rc01
  • androidx.media3:media3-test-utils-robolectric:1.9.0-rc01
  • androidx.media3:media3-transformer:1.9.0-rc01
  • androidx.media3:media3-ui:1.9.0-rc01
  • androidx.media3:media3-ui-compose:1.9.0-rc01
  • androidx.media3:media3-ui-compose-material3:1.9.0-rc01
  • androidx.media3:media3-ui-leanback:1.9.0-rc01

Dec 10, 2025

3 December 2025 Artifact Wave

We got one new artifact group, androidx.webgpu, containing a single androidx.webgpu:webgpu artifact. WebGPU “is intended to supersede the older WebGL as the main graphics standard for the Web”.

We also got three new DataStore artifacts, extending its multiplatform support:

  • androidx.datastore:datastore-core-js
  • androidx.datastore:datastore-core-okio-js
  • androidx.datastore:datastore-preferences-core-js

You can find the rest of the 600+ updated artifacts here!

Dec 03, 2025

Older Posts

Meta


Creative Commons License