Dependency Management for Java - Code Remix Summit 2026-05-12

About me OpenRewrite contributor Java since 1996 platform engineer

Platform engineering @ Grubhub 🟢 minimize undifferentiated heavy lifting 🟢
provide application building blocks 🟢 enable Continuous Delivery 🟢 accelerate migration campaigns

Migration campaigns @ Grubhub 🟢 legacy Guice apps → Spring
Framework 🟢 Spring Boot 2 → Spring Boot 3 🟢 Gradle 8 → Gradle 9

OpenRewrite Dependency Management

JUnit migration - October 2022

🟢 hundreds of libraries on the classpath 🟢 open source
libraries 🟢 internal libraries Modern Java applications

Gradle blog November 2019 “The larger the project and its
dependency graph, the harder it is to maintain”

“Dependency issues can cause many problems” Gradle blog November 2019

“If you are lucky, you would get a compile time
error” Gradle blog November 2019

“it is common to only see problems occurring when executing
tests or even at production runtime” Gradle blog November 2019

NoClassDefFoundError ClassNotFoundException

NoSuchMethodError NoSuchFieldError

UnsatisfiedLinkError AbstractMethodError

Java dependency conflicts

Let’s talk about dependency resolution

dependencies { implementation( “foo:liba:1.5.2” ) implementation( “foo:libz:0.2.1” ) implementation( “com.google.guava:guava:28.2”
) }

liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8
guava 28.2

Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava
33.4.8

Java classpath

what Java libraries do you have in production right now?

do you have outdated libraries in production?

do you have SNAPSHOT libraries in production?

Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT

“Let’s add one more Java library ” Java library

Dependency Hell

Dependency Hell is a common problem

Taming dependency hell

Pin dependency to a specific version?

configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }

Mike McGarr Netflix, 2017

Gradle User Guide

“Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility
issues” Gradle User Guide

Gradle User Guide

Common problems with Java dependencies

Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class
file has wrong version 55.0, should be 52.0

class file has wrong version 61.0, should be 52.0

Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0

Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these
jars are on the classpath?

🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin

Gradle Enforcer plugin

Let’s talk about OpenRewrite

🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion

AddDependency 🟢 org.openrewrite.maven.AddDependency 🟢 org.openrewrite.gradle.AddDependency 🟢 org.openrewrite.java.dependencies.AddDependency

RemoveDependency 🟢 org.openrewrite.maven.RemoveDependency 🟢 org.openrewrite.gradle.RemoveDependency 🟢 org.openrewrite.java.dependencies.RemoveDependency

ChangeDependency 🟢 org.openrewrite.maven.ChangeDependency 🟢 org.openrewrite.gradle.ChangeDependency 🟢 org.openrewrite.java.dependencies.ChangeDependency

Let’s talk about Jackson

Jackson 2.x → Jackson 3.x

Jackson library

OpenRewrite recipe

Jackson 2 to Jackson 3

Final thoughts

🟢 Build often 🟢 Release often 🟢 use OpenRewrite for
complex migrations

The End

Tuesday at 12:30 PM

Wednesday at 10:30 AM

Let’s talk about Netty

Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵
use artifact classifiers

Example: artifact <classifier> Linux x86

Linux ARM 64 Example: artifact <classifier>

Dependency Management for Java - Code Remix Sum...

Dependency Management for Java - Code Remix Summit 2026-05-12

More Decks by sullis

Other Decks in Programming

Featured

Transcript