Dependency Management for Java - Portland - 2025-11-04

Transcript

1. None

2. About me Portland Oregon Java since 1996 open source contributor

3. None

4. 📍 hundreds of libraries on the classpath 📍 open source

   libraries + internal libraries 📍 Java, Kotlin, Scala Modern Java applications

5. What is the worst that could happen? Outdated libraries on

   your production classpath
6. None

7. 2017 US House committee Equifax CEO US Rep Greg Walden

8. 2017 US House committee US Rep Greg Walden “the Apache

   Struts software which contained the vulnerability that led to this breach was running on the Equifax system”

9. Java development

10. Java dependency conflicts

11. Gradle blog November 2019 “The larger the project and its

    dependency graph, the harder it is to maintain”

12. “Dependency issues can cause many problems” Gradle blog November 2019

13. “If you are lucky, you would get a compile time

    error” Gradle blog November 2019

14. “it is common to only see problems occurring when executing

    tests or even at production runtime” Gradle blog November 2019

15. NoClassDefFoundError ClassNotFoundException

16. NoSuchMethodError UnsatisfiedLinkError

17. Let’s talk about dependency resolution

18. dependencies { implementation(“foo:liba:1.5.2”) implementation(“foo:libz:0.2.1”) implementation(“com.google.guava:guava:28.2”) }

19. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

20. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

21. Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava

    33.4.8

22. Jake Wharton - March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

23. “Maven’s dependency resolution strategy is objectively bonkers” Jake Wharton -

    March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

24. Java classpath

25. what Java libraries do you have in production right now?

26. do you have outdated libraries in production?

27. do you have SNAPSHOT libraries in production?

28. Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT

29. “Let’s add one more Java library ” Java library

30. None

31. Dependency Hell

32. Dependency Hell is a common problem

33. Dependency Hell @ gilt.com (2015)

34. Dependency Hell @ Netflix (2017)

35. Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility

    issues.

36. Taming dependency hell

37. Pin dependency to a specific version?

38. configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }

39. Mike McGarr Netflix, 2017

40. Google JLBP “Google Best Practices for Java Libraries are rules

    that minimize problems for consumers of interconnected Java libraries“ jlbp.dev

41. JLBP-1 Minimize Dependencies “Scrutinize all dependency additions”

42. JLBP-1 Minimize Dependency Scope “When you do add a dependency,

    keep it scoped as narrowly as possible”

43. JLBP-1 “Prefer JDK classes where available” “For any given functionality,

    pick exactly one library”

44. JLBP-1 Separate the tool classpath from the product classpath

45. JLBP-11 Keep dependencies up to date

46. JLBP-11 “Release no later than 6 weeks after any of

    your dependencies releases a higher version”

47. JLBP-11 “Staying up to date is also important to ensure

    that security fixes are rolled out promptly”

48. JLBP-15 Publish a BOM for multi-module projects

49. JLBP-16 Ensure upper version alignment of dependencies for consumers

50. JLBP-16 “The version of each dependency added to the classpath

    should the highest version in the dependency tree”

51. Common problems with Java dependencies

52. Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class

    file has wrong version 55.0, should be 52.0

53. class file has wrong version 61.0, should be 52.0

54. Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0

55. Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these

    jars are on the classpath? 🚩

56. 🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin

57. Gradle Enforcer plugin

58. Gradle Enforcer plugin ✅ DependencyConvergence

59. Let’s talk about OpenRewrite

60. OpenRewrite recipes 🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion

61. Let’s talk about Jackson

62. Real world scenario Jackson 2.x → Jackson 3.x

63. Jackson library

64. Jackson upgrade demo

65. GitHub Copilot Agent

66. GitHub Copilot Agent

67. OpenRewrite recipe

68. Final thoughts

69. 🟢 Build often 🟢 Release often 🟢 Ownership 🟢 consider

    OpenRewrite for complex migrations

70. Questions?

71. The End

72. Bonus

73. Let’s talk about Netty

74. Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵

    use artifact classifiers

75. Example: artifact <classifier> Linux x86

76. Linux ARM 64 Example: artifact <classifier>

77. DPE Summit 2025: From Lag to Lightning Aubrey Chipman and

    Roberto Perez Alcolea

78. JConf 2022 : Dependency management Roberto Perez Alcolea

79. Devnexus 2021 Taming Java Dependencies @ Google Stephanie Wang

80. David Handermann [ exceptionfactory.com ]

81. Let’s talk about JCenter

82. JCenter repository end-of-life

83. None

84. “At the end of the sunset, all JCenter requests will

    automatically be redirected to Maven Central and served from there.”

85. Forcing gradle to check for updated versions ./gradlew build --refresh-dependencies

86. None
87. None