Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dependency management for Java applications 202...
Search
sullis
September 11, 2025
Programming
0
13
Dependency management for Java applications 2025-09-11
Community Over Code 2025
Minneapolis Minnesota
September 11 2025
sullis
September 11, 2025
Tweet
Share
More Decks by sullis
See All by sullis
S3 NYC Iceberg meetup 2025-07-10
sullis
0
42
Amazon S3 Chicago 2025-06-04
sullis
0
100
Amazon S3 Boston 2025-05-07
sullis
0
59
Netty ConFoo Montreal 2025-02-27
sullis
0
110
GitHub Actions ConFoo Montreal 2025-02-26
sullis
0
66
Netty Portland Java User Group 2025-02-18
sullis
0
14
Amazon S3 NYJavaSIG 2024-12-12
sullis
0
190
Amazon S3 - Portland Java User Group 2024-09-17
sullis
0
110
Netty - Montreal Java User Group 2024-05-21
sullis
0
180
Other Decks in Programming
See All in Programming
詳しくない分野でのVibe Codingで困ったことと学び/vibe-coding-in-unfamiliar-area
shibayu36
3
4.1k
After go func(): Goroutines Through a Beginner’s Eye
97vaibhav
0
230
猫と暮らすネットワークカメラ生活🐈 ~Vision frameworkでペットを愛でよう~ / iOSDC Japan 2025
yutailang0119
0
220
開発者への寄付をアプリ内課金として実装する時の気の使いどころ
ski
0
340
Go言語の特性を活かした公式MCP SDKの設計
hond0413
1
130
いま中途半端なSwift 6対応をするより、Default ActorやApproachable Concurrencyを有効にしてからでいいんじゃない?
yimajo
2
330
Web技術を最大限活用してRAW画像を現像する / Developing RAW Images on the Web
ssssota
2
1.1k
そのpreloadは必要?見過ごされたpreloadが技術的負債として爆発した日
mugitti9
2
2.9k
ABEMAモバイルアプリが Kotlin Multiplatformと歩んだ5年 ─ 導入と運用、成功と課題 / iOSDC 2025
akkyie
0
320
CSC305 Lecture 03
javiergs
PRO
0
230
2分台で1500examples完走!爆速CIを支える環境構築術 - Kaigi on Rails 2025
falcon8823
3
2.9k
Serena MCPのすすめ
wadakatu
4
880
Featured
See All Featured
Statistics for Hackers
jakevdp
799
220k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.2k
Balancing Empowerment & Direction
lara
4
680
Building an army of robots
kneath
306
46k
Why Our Code Smells
bkeepers
PRO
339
57k
Side Projects
sachag
455
43k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Site-Speed That Sticks
csswizardry
11
880
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
2.6k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Transcript
Sean Sullivan Community Over Code September 2025 Dependency Management for
Java applications
About me Portland Oregon Java since 1996 open source contributor
Outdated libraries on your production classpath What is the worst
that could happen?
None
2017 US House committee Equifax CEO US Rep Greg Walden
2017 US House committee US Rep Greg Walden “the Apache
Struts software which contained the vulnerability that led to this breach was running on the Equifax system”
Java development
Java dependency conflicts
Gradle blog November 2019 “The larger the project and its
dependency graph, the harder it is to maintain”
“Dependency issues can cause many problems” Gradle blog November 2019
“If you are lucky, you would get a compile time
error” Gradle blog November 2019
“it is common to only see problems occurring when executing
tests or even at production runtime” Gradle blog November 2019
NoClassDefFoundError ClassNotFoundException
NoSuchMethodError UnsatisfiedLinkError
Let’s talk about dependency resolution
dependencies { implementation(“foo:liba:1.5.2”) implementation(“foo:libz:0.2.1”) implementation(“com.google.guava:guava:28.2”) }
liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8
guava 28.2
liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8
guava 28.2
Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava
33.4.8
Jake Wharton - March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/
“Maven’s dependency resolution strategy is objectively bonkers” Jake Wharton -
March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/
Java classpath
what Java libraries do you have in production right now?
do you have outdated libraries in production?
do you have SNAPSHOT libraries in production?
Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT
📍 hundreds of libraries on the runtime classpath 📍 open
source libraries + internal libraries 📍 Java, Kotlin, Scala Modern Java applications
“Let’s add one more Java library ” Java library
None
Dependency Hell
Dependency Hell is a common problem
Dependency Hell @ gilt.com (2015)
Dependency Hell @ Netflix (2017)
Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility
issues.
Taming dependency hell
Pin dependency to a specific version?
configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }
Mike McGarr Netflix, 2017
Google JLBP “Google Best Practices for Java Libraries are rules
that minimize problems for consumers of interconnected Java libraries“ jlbp.dev
JLBP-1 Minimize Dependencies “Scrutinize all dependency additions”
JLBP-1 Minimize Dependency Scope “When you do add a dependency,
keep it scoped as narrowly as possible”
JLBP-1 “Prefer JDK classes where available” “For any given functionality,
pick exactly one library”
JLBP-1 Separate the tool classpath from the product classpath
JLBP-11 Keep dependencies up to date
JLBP-11 “Release no later than 6 weeks after any of
your dependencies releases a higher version”
JLBP-11 “Staying up to date is also important to ensure
that security fixes are rolled out promptly”
JLBP-15 Publish a BOM for multi-module projects
JLBP-16 Ensure upper version alignment of dependencies for consumers
JLBP-16 “The version of each dependency added to the classpath
should the highest version in the dependency tree”
Common problems with Java dependencies
Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class
file has wrong version 55.0, should be 52.0
class file has wrong version 61.0, should be 52.0
Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0
Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these
jars are on the classpath? 🚩
🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin
Gradle Enforcer plugin
Gradle Enforcer plugin ✅ DependencyConvergence
Let’s talk about OpenRewrite
OpenRewrite recipes 🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion
Final thoughts
🟢 Build often 🟢 Release often 🟢 Ownership 🟢 consider
OpenRewrite for complex migrations
Questions?
The End
Bonus
Let’s talk about Netty
Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵
use artifact classifiers
Example: artifact <classifier> Linux x86
Linux ARM 64 Example: artifact <classifier>
Devnexus 2021 Taming Java Dependencies @ Google Stephanie Wang
JConf 2022 : Dependency management Roberto Perez Alcolea
David Handermann [ exceptionfactory.com ]
Let’s talk about JCenter
JCenter repository end-of-life
None
“At the end of the sunset, all JCenter requests will
automatically be redirected to Maven Central and served from there.”
Forcing gradle to check for updated versions ./gradlew build --refresh-dependencies
None
None