Dependency Management for Java - Code Remix Summit 2026-05-12

Transcript

1. None

2. About me OpenRewrite contributor Java since 1996 platform engineer

3. Platform engineering @ Grubhub 🟢 minimize undifferentiated heavy lifting 🟢

   provide application building blocks 🟢 enable Continuous Delivery 🟢 accelerate migration campaigns

4. Migration campaigns @ Grubhub 🟢 legacy Guice apps → Spring

   Framework 🟢 Spring Boot 2 → Spring Boot 3 🟢 Gradle 8 → Gradle 9
5. None
6. None
7. None

8. OpenRewrite Dependency Management

9. JUnit migration - October 2022

10. 🟢 hundreds of libraries on the classpath 🟢 open source

    libraries 🟢 internal libraries Modern Java applications

11. Gradle blog November 2019 “The larger the project and its

    dependency graph, the harder it is to maintain”

12. “Dependency issues can cause many problems” Gradle blog November 2019

13. “If you are lucky, you would get a compile time

    error” Gradle blog November 2019

14. “it is common to only see problems occurring when executing

    tests or even at production runtime” Gradle blog November 2019

15. NoClassDefFoundError ClassNotFoundException

16. NoSuchMethodError NoSuchFieldError

17. UnsatisfiedLinkError AbstractMethodError

18. Java dependency conflicts

19. Let’s talk about dependency resolution

20. dependencies { implementation( “foo:liba:1.5.2” ) implementation( “foo:libz:0.2.1” ) implementation( “com.google.guava:guava:28.2”

    ) }

21. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

22. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

23. Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava

    33.4.8

24. Java classpath

25. what Java libraries do you have in production right now?

26. do you have outdated libraries in production?

27. do you have SNAPSHOT libraries in production?

28. Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT

29. “Let’s add one more Java library ” Java library

30. None

31. Dependency Hell

32. Dependency Hell is a common problem

33. Taming dependency hell

34. Pin dependency to a specific version?

35. configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }

36. Mike McGarr Netflix, 2017

37. Gradle User Guide

38. “Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility

    issues” Gradle User Guide

39. Gradle User Guide

40. Gradle User Guide

41. Gradle User Guide

42. Gradle User Guide

43. Gradle User Guide

44. Common problems with Java dependencies

45. Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class

    file has wrong version 55.0, should be 52.0

46. class file has wrong version 61.0, should be 52.0

47. Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0

48. Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these

    jars are on the classpath?

49. 🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin

50. Gradle Enforcer plugin

51. Let’s talk about OpenRewrite

52. 🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion

53. AddDependency 🟢 org.openrewrite.maven.AddDependency 🟢 org.openrewrite.gradle.AddDependency 🟢 org.openrewrite.java.dependencies.AddDependency

54. RemoveDependency 🟢 org.openrewrite.maven.RemoveDependency 🟢 org.openrewrite.gradle.RemoveDependency 🟢 org.openrewrite.java.dependencies.RemoveDependency

55. ChangeDependency 🟢 org.openrewrite.maven.ChangeDependency 🟢 org.openrewrite.gradle.ChangeDependency 🟢 org.openrewrite.java.dependencies.ChangeDependency

56. Let’s talk about Jackson

57. Jackson 2.x → Jackson 3.x

58. Jackson library

59. OpenRewrite recipe

60. Jackson 2 to Jackson 3

61. Jackson 2 to Jackson 3

62. Final thoughts

63. 🟢 Build often 🟢 Release often 🟢 use OpenRewrite for

    complex migrations

64. The End

65. Tuesday at 12:30 PM

66. Wednesday at 10:30 AM

67. Bonus

68. None

69. Let’s talk about Netty

70. Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵

    use artifact classifiers

71. Example: artifact <classifier> Linux x86

72. Linux ARM 64 Example: artifact <classifier>