If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/nostra13/Android-Universal-Image-Loader shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 12 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Concentrated ownership — top contributor handles 74% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live nostra13/Android-Universal-Image-Loader repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/nostra13/Android-Universal-Image-Loader.

What it runs against: a local clone of nostra13/Android-Universal-Image-Loader — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in nostra13/Android-Universal-Image-Loader | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 661 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of nostra13/Android-Universal-Image-Loader. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/nostra13/Android-Universal-Image-Loader.git
#   cd Android-Universal-Image-Loader
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of nostra13/Android-Universal-Image-Loader and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "nostra13/Android-Universal-Image-Loader(\\.git)?\\b" \\
  && ok "origin remote is nostra13/Android-Universal-Image-Loader" \\
  || miss "origin remote is not nostra13/Android-Universal-Image-Loader (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 661 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~631d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/nostra13/Android-Universal-Image-Loader"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Android Universal Image Loader is a powerful, pre-Glide/Picasso era library for asynchronous image loading, caching, and display on Android. It provides multi-threaded image fetching with configurable memory and disk caching (LRU, FIFO, age-based strategies), support for multiple image sources (HTTP, file, content provider, assets), and extensive customization of display options including stub images, bitmap transformations, and progress listening. Single-module library structure: library/src/main/java/com/nostra13/universalimageloader/ contains the core engine split into cache/ (memory and disk caching), image loading pipeline, display options, and decoders. The cache/ subdirectory further splits into memory/ (LRU, FIFO, age-based implementations in memory/impl/) and disc/ (disk cache with naming strategies via disc/naming/ and LRU implementation via disc/impl/ext/DiskLruCache.java). No separate samples in the structure shown; build artifacts in downloads/.

Android developers building apps that need to display remote or local images efficiently without modern libraries like Glide or Picasso. Originally aimed at developers before 2015 who needed fine-grained control over caching behavior, thread pools, and image processing pipelines in resource-constrained devices.

This project is abandoned and no longer maintained as of November 2015 (nearly 10 years ago). The maintainer explicitly states in README: 'Really have no time for development... so I stop project maintaining since Nov 27 :(' The codebase is stable (v1.9.5 final release) but receives no security updates, bug fixes, or Android API level upgrades. It is a historical reference, not production-ready for modern Android development.

High risk for new projects. The library targets Android 4.1+ (API 16+), which is severely outdated; modern development requires API 21+. No active maintenance means no fixes for Android 11+ scoped storage, memory leaks in legacy threading models, or compatibility with Kotlin coroutines/Flow. Single-author abandonment with no community fork governance. Modern alternatives (Glide, Picasso, Coil) are actively maintained and recommended instead.

Nothing. The project is in stasis. The last meaningful commit was in 2015. The .github/workflows/gradle-wrapper-validation.yml suggests minimal CI setup (likely added after abandonment for basic validation). No active issues, PRs, or milestones are being tracked.

git clone https://github.com/nostra13/Android-Universal-Image-Loader.git
cd Android-Universal-Image-Loader
./gradlew build

The project uses Gradle (gradlew wrapper included). No special setup required beyond Android SDK, but expect build failures on modern Gradle/AGP versions.

Daily commands: This is a library, not a runnable app. To use it: ./gradlew assembleRelease builds the AAR/JAR. To test against sample code (if present): check for sample/ module and run ./gradlew sample:installDebug. The prebuilt JAR is available at downloads/universal-image-loader-1.9.5.jar.

• library/src/main/java/com/nostra13/universalimageloader/cache/memory/MemoryCache.java: Core interface defining in-memory image caching contract; all memory cache implementations (LRU, FIFO, age-based) inherit from this or BaseMemoryCache.java
• library/src/main/java/com/nostra13/universalimageloader/cache/disc/DiskCache.java: Core interface for disk-based image caching; implementations handle persistent storage strategies (unlimited vs. size/age-limited)
• library/src/main/java/com/nostra13/universalimageloader/cache/memory/impl/LRULimitedMemoryCache.java: LRU memory cache implementation, the most commonly used in-memory strategy for evicting least-recently-used bitmaps when cache fills
• library/src/main/java/com/nostra13/universalimageloader/cache/disc/impl/ext/DiskLruCache.java: Extracted LRU disk cache (from Android source), handles persistent cache with journal-based eviction and atomic writes
• library/src/main/java/com/nostra13/universalimageloader/cache/disc/naming/Md5FileNameGenerator.java: Strategy for generating cache file names using MD5 hashing of URLs; Md5FileNameGenerator vs. HashCodeFileNameGenerator are alternatives
• library/src/main/java/com/nostra13/universalimageloader/cache/memory/BaseMemoryCache.java: Abstract base for memory caches providing common put/get/remove logic; subclasses add eviction strategies (LRU, FIFO, age)
• library/src/main/java/com/nostra13/universalimageloader/cache/disc/impl/BaseDiskCache.java: Abstract base for disk caches with file I/O, directory setup, and get/save/remove operations; subclasses add size/age limits
• library/build.gradle: Library-specific Gradle config; defines dependencies, Android SDK versions, and build outputs (AAR/JAR)

Start in library/src/main/java/com/nostra13/universalimageloader/: For cache behavior, modify cache/memory/impl/ (LRULimitedMemoryCache.java, FIFOLimitedMemoryCache.java, LimitedAgeMemoryCache.java) or cache/disc/impl/ (BaseDiskCache.java, UnlimitedDiskCache.java, LimitedAgeDiskCache.java). For image loading, look for the ImageLoader class (entry point, not in file list but referenced by README). For display options, check Display Options mentioned in wiki. For network/decoding, search for Downloader and Decoder implementations. The cache/disc/naming/ directory controls cache file naming strategies (MD5, HashCode generators).

1. No Android Studio support for modern versions: Gradle wrapper is v6.7.1 (from gradle/wrapper/gradle-wrapper.properties), incompatible with AGP 7.0+. Manual upgrade required and likely breaks API usages. 2. Memory leaks in legacy threading: ExecutorService thread pools not properly shutdown; can leak memory in long-lived Android apps. 3. No support for modern scoped storage (Android 11+): Uses legacy File APIs directly, will fail on target API 31+. 4. Required configuration at app startup: ImageLoaderConfiguration must be initialized globally before first use; forgetting this causes NullPointerException silently. 5. File system cache path issues: Assumes writable external storage (SD card); modern permissions model breaks this. 6. No Kotlin support: Written in pure Java; no coroutines or Flow integration, verbose callback-based API.

• LRU (Least Recently Used) Eviction — UIL's most popular cache strategy, implemented in cache/memory/impl/LRULimitedMemoryCache.java and cache/disc/impl/ext/DiskLruCache.java; understanding LRU is essential to knowing when and why images get dropped from cache
• Memory vs. Disk Caching Tiers — UIL uniquely lets you configure separate strategies for RAM cache (fast, limited) and disk cache (persistent, slow); understanding the trade-offs is core to UIL's flexibility vs. modern libraries' opinionated defaults
• Thread Pools and ExecutorService — UIL uses Java's ExecutorService for multi-threaded image loading; misunderstanding thread management leads to ANRs, memory leaks, or deadlocks in the legacy threading model
• File-Based Journal for Disk Cache Consistency — The DiskLruCache.java (adapted from Android source) uses a journal file to track cache state atomically; understanding this prevents data corruption if the app crashes mid-write
• Strategy Pattern for Cache Selection — UIL defines MemoryCache and DiskCache as interchangeable strategies (FIFO, LRU, age-based); recognizing this pattern helps you extend UIL or swap implementations
• FIFO (First In First Out) Eviction — Alternative to LRU in cache/memory/impl/FIFOLimitedMemoryCache.java; simpler but less adaptive than LRU; used when order matters more than access frequency
• Age-Based Cache Expiration — UIL provides LimitedAgeMemoryCache and LimitedAgeDiskCache for time-based invalidation; essential for stale data handling without manual refresh logic

• square/picasso — Spiritual successor to UIL; simpler API, built by Square, actively maintained as the post-UIL standard for image loading (2013 onwards)
• bumptech/glide — Modern replacement for UIL; Google-backed, optimized for performance, supports Kotlin, lifecycle-aware caching, became the de facto standard after 2014
• coil-kt/coil — Latest-generation image loader designed for Kotlin; uses coroutines/Flow, replaces UIL/Picasso/Glide for modern Android development
• google/ExoPlayer — Orthogonal but often used alongside UIL; ExoPlayer handles video/media loading where UIL handles image caching; demonstrates thread-safe async resource management
• JakeWharton/DiskLruCache — The upstream source of UIL's cache/disc/impl/ext/DiskLruCache.java; Jake Wharton's standalone LRU disk cache (extracted from Android, adopted by Picasso/Glide)

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Migrate from Travis CI to GitHub Actions with comprehensive test matrix

The repo uses outdated Travis CI (.travis.yml) and has a minimal GitHub Actions workflow (gradle-wrapper-validation.yml). A modern GitHub Actions workflow should test against multiple Android API levels, Java versions, and build variants. This is critical for a library with 8+ cache implementations and multiple image loading strategies to ensure compatibility.

• [ ] Create .github/workflows/android-tests.yml with matrix testing (API 21, 28, 29, 30+)
• [ ] Add Java 8/11 compatibility matrix to catch version-specific issues
• [ ] Include library build, unit tests, and integration tests in the workflow
• [ ] Remove dependency on .travis.yml by verifying all CI logic is in GitHub Actions
• [ ] Add badge to README.md for the new GitHub Actions workflow status

Add unit tests for memory cache implementations

The library has 8 memory cache implementations (LRULimitedMemoryCache, LimitedAgeMemoryCache, WeakMemoryCache, etc.) in library/src/main/java/com/nostra13/universalimageloader/cache/memory/impl/ but no visible test coverage. These are critical components handling eviction policies that can affect app memory usage. Unit tests would validate eviction behavior, thread safety, and edge cases.

• [ ] Create library/src/test/java/com/nostra13/universalimageloader/cache/memory/ directory structure
• [ ] Add LRULimitedMemoryCacheTest.java testing eviction order, size limits, and concurrent access
• [ ] Add LimitedAgeMemoryCacheTest.java testing age-based eviction logic
• [ ] Add WeakMemoryCacheTest.java testing weak reference behavior during GC
• [ ] Add tests for edge cases (null keys, negative sizes, concurrent put/get operations)

Add unit tests for disk cache implementations and naming generators

The disk cache layer (library/src/main/java/com/nostra13/universalimageloader/cache/disc/) has multiple implementations (LimitedAgeDiskCache, LruDiskCache) and naming strategies (Md5FileNameGenerator, HashCodeFileNameGenerator) but lacks visible test coverage. File I/O, cache corruption, and naming collisions are critical to test.

• [ ] Create library/src/test/java/com/nostra13/universalimageloader/cache/disc/ directory structure
• [ ] Add Md5FileNameGeneratorTest.java and HashCodeFileNameGeneratorTest.java testing collision rates and determinism
• [ ] Add LruDiskCacheTest.java testing LRU eviction, size limits, and file integrity
• [ ] Add LimitedAgeDiskCacheTest.java testing age-based eviction and expired file cleanup
• [ ] Add integration tests for corrupt cache file recovery scenarios

• Add unit tests for cache/memory/impl/LRULimitedMemoryCache.java and cache/disc/impl/BaseDiskCache.java: The codebase has no visible test files in the provided structure, yet caching logic is critical. Writing tests for eviction behavior (size limits, age limits, LRU order) would catch regressions and document expected behavior.
• Upgrade Gradle wrapper from 6.7.1 to 7.6.0+ and AGP from 3.6.2 to 8.0+: The .gradle/wrapper/gradle-wrapper.properties specifies an ancient version. A new contributor could update the wrapper and fix any deprecated API calls in library/build.gradle, documenting required Java/AGP changes in the README.
• Add JavaDoc comments to core interfaces (MemoryCache.java, DiskCache.java, and cache/memory/BaseMemoryCache.java): The public API lacks documentation explaining when to use each cache type, eviction behavior, and thread-safety guarantees. This would help users understand UIL's design.

The Android-Universal-Image-Loader project has several significant security concerns. The primary issues are the outdated Gradle build tools (3.6.2 from 2019), reliance on the defunct jcenter() repository, and most critically, the project's stated lack of active maintenance ('Really have no time for dev'). These factors combined indicate the codebase will not receive security updates and uses deprecated dependencies with known vulnerabilities. Organizations using this library in production should consider migrating to actively maintained alternatives (Coil, Glide) or implementing a comprehensive security patching and maintenance strategy via a fork. The absence of a security policy and vulnerability disclosure mechanism further compounds the risk.

• High · Outdated Gradle Build Tools — build.gradle (classpath 'com.android.tools.build:gradle:3.6.2'). The project uses Gradle 3.6.2 (released in 2019), which is significantly outdated and likely contains known security vulnerabilities. This version is no longer supported and does not receive security patches. Fix: Update to the latest stable version of Android Gradle Plugin (currently 8.x or higher). This ensures access to security patches and modern build system improvements.
• High · Deprecated Repository: JCenter — build.gradle (repositories { jcenter() }). The project relies on jcenter() repository which was shut down in January 2021. While the repository may still be accessible through mirrors, this is no longer an official supported repository and poses supply chain risks. Fix: Remove jcenter() and rely on mavenCentral() or Google Maven repository exclusively. Update any dependencies that were only available on jcenter.
• Medium · Lack of Dependency Pinning — build.gradle and gradle/wrapper/gradle-wrapper.properties. The build.gradle file shows no explicit version pinning for dependencies, and the gradle wrapper version (3.6.2) uses a very old and potentially insecure version. This increases the risk of supply chain attacks through dependency injection. Fix: Implement explicit version constraints for all dependencies. Regularly audit and update dependencies. Consider using dependency lock files and security scanning tools.
• Medium · Project Maintenance Status — README.md (Project News section). The README explicitly states 'Really have no time for dev', indicating this project is no longer actively maintained. This means security vulnerabilities discovered will not be patched promptly. Fix: For production use, consider maintaining a fork with security patches or migrating to an actively maintained image-loading library (e.g., Coil, Glide, Picasso maintained versions).
• Medium · Missing Security Policy and Vulnerability Disclosure — Repository root (absence of SECURITY.md). No SECURITY.md file or vulnerability disclosure policy is present in the repository. This makes it difficult for security researchers to responsibly report vulnerabilities. Fix: Create a SECURITY.md file in the repository root with clear instructions for reporting security vulnerabilities, preferred contact methods, and expected response timelines.
• Low · Disabled Javadoc Lint Checks — build.gradle (options.addStringOption('Xdoclint:none', '-quiet')). The build configuration disables Javadoc doclint checks, which could mask documentation quality issues and potential code documentation problems. Fix: Enable Javadoc lint checks to catch documentation issues early. Only disable specific checks if absolutely necessary and document the reason.
• Low · No Explicit Gradle Wrapper Validation — gradle/wrapper/gradle-wrapper.jar. While a gradle-wrapper-validation.yml workflow exists, the actual gradle-wrapper.jar is stored in the repository, which could pose risks if the wrapper is compromised. Fix: Verify the integrity of gradle-wrapper.jar. Consider using Gradle's wrapper validation in CI/CD to ensure wrapper integrity on every build.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.