Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dependency Management for Java - Seattle 2025-1...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
sullis
November 18, 2025
Programming
52
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Dependency Management for Java - Seattle 2025-11-18
Dependency Management for Java
Seattle Java User Group
2025-11-18
#seajug
sullis
November 18, 2025
More Decks by sullis
See All by sullis
Dependency Management for Java - Code Remix Summit 2026-05-12
sullis
0
60
AI Assisted Software Development - Portland Java User Group - 2026-04-14
sullis
0
69
Dependency Management for Java - Portland - 2025-11-04
sullis
0
36
Dependency management for Java applications 2025-09-11
sullis
0
53
S3 NYC Iceberg meetup 2025-07-10
sullis
0
61
Amazon S3 Chicago 2025-06-04
sullis
0
150
Amazon S3 Boston 2025-05-07
sullis
0
110
Netty ConFoo Montreal 2025-02-27
sullis
0
180
GitHub Actions ConFoo Montreal 2025-02-26
sullis
0
120
Other Decks in Programming
See All in Programming
LLM本来の能力を解き放つサンドボックス技術とAI民主化への適用
yukukotani
3
4.6k
エージェンティックRAGにAWSで入門しよう!
har1101
9
1.8k
メソッドのジェネリクスでGoの夢は広がるか? / Kyoto.go #65
utgwkk
3
990
Datadog LLM Observabilityで実現する 安全なLLM Usage 管理
3150
0
130
Performance Engineering for Everyone
elenatanasoiu
0
240
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
200
才能?センス?知らん、 続けたもん勝ちだ。-- 結婚・出産・癌を越えてなお、私がプロダクトを創り続ける理由
16bitidol
1
580
act1-costs.pdf
sumedhbala
0
130
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
610
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
220
これからAgentCoreを触る方へトレンドはGatewayです
har1101
5
430
AI時代のUIはどこへ行く?その2!
yusukebe
22
7.6k
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Unsuck your backbone
ammeep
672
58k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Context Engineering - Making Every Token Count
addyosmani
9
990
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.3k
GitHub's CSS Performance
jonrohan
1033
470k
We Are The Robots
honzajavorek
0
260
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.7k
Transcript
None
About me Portland Oregon Java since 1996 open source contributor
None
🟢 hundreds of libraries on the classpath 🟢 open source
libraries 🟢 internal libraries Modern Java applications
What is the worst that could happen? Outdated libraries on
your production classpath
None
2017 US House committee Equifax CEO US Rep Greg Walden
2017 US House committee US Rep Greg Walden “the Apache
Struts software which contained the vulnerability that led to this breach was running on the Equifax system”
Greenfield project
Java dependency conflicts
Gradle blog November 2019 “The larger the project and its
dependency graph, the harder it is to maintain”
“Dependency issues can cause many problems” Gradle blog November 2019
“If you are lucky, you would get a compile time
error” Gradle blog November 2019
“it is common to only see problems occurring when executing
tests or even at production runtime” Gradle blog November 2019
NoClassDefFoundError ClassNotFoundException
NoSuchMethodError NoSuchFieldError
UnsatisfiedLinkError AbstractMethodError
Let’s talk about dependency resolution
dependencies { implementation( “foo:liba:1.5.2” ) implementation( “foo:libz:0.2.1” ) implementation( “com.google.guava:guava:28.2”
) }
liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8
guava 28.2
liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8
guava 28.2
Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava
33.4.8
Jake Wharton - March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/
“Maven’s dependency resolution strategy is objectively bonkers” Jake Wharton -
March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/
Java classpath
what Java libraries do you have in production right now?
do you have outdated libraries in production?
do you have SNAPSHOT libraries in production?
Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT
“Let’s add one more Java library ” Java library
None
Dependency Hell
Dependency Hell is a common problem
Dependency Hell @ gilt.com (2015)
Dependency Hell @ Netflix (2017)
Taming dependency hell
Pin dependency to a specific version?
configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }
Mike McGarr Netflix, 2017
Gradle User Guide
“Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility
issues” Gradle User Guide
Gradle User Guide
Gradle User Guide
Gradle User Guide
Gradle User Guide
Gradle User Guide
Google JLBP
Google JLBP “Google Best Practices for Java Libraries are rules
that minimize problems for consumers of interconnected Java libraries“ jlbp.dev
JLBP-1 Minimize Dependencies “Scrutinize all dependency additions”
JLBP-1 Minimize Dependency Scope “When you do add a dependency,
keep it scoped as narrowly as possible”
JLBP-1 “Prefer JDK classes where available” “For any given functionality,
pick exactly one library”
JLBP-1 Separate the tool classpath from the product classpath
JLBP-11 Keep dependencies up to date
JLBP-11 “Release no later than 6 weeks after any of
your dependencies releases a higher version”
JLBP-11 “Staying up to date is also important to ensure
that security fixes are rolled out promptly”
JLBP-15 Publish a BOM for multi-module projects
JLBP-16 Ensure upper version alignment of dependencies for consumers
JLBP-16 “The version of each dependency added to the classpath
should the highest version in the dependency tree”
Common problems with Java dependencies
Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class
file has wrong version 55.0, should be 52.0
class file has wrong version 61.0, should be 52.0
Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0
Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these
jars are on the classpath?
🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin
Gradle Enforcer plugin
Let’s talk about OpenRewrite
OpenRewrite recipes 🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion
Let’s talk about Jackson
Real world scenario Jackson 2.x → Jackson 3.x
Jackson library
Jackson upgrade demo
GitHub Copilot Agent
GitHub Copilot Agent
OpenRewrite recipe
Final thoughts
🟢 Build often 🟢 Release often 🟢 Ownership 🟢 consider
OpenRewrite for complex migrations
Questions?
The End
Bonus
Let’s talk about Netty
Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵
use artifact classifiers
Example: artifact <classifier> Linux x86
Linux ARM 64 Example: artifact <classifier>
DPE Summit 2025: From Lag to Lightning Aubrey Chipman and
Roberto Perez Alcolea
JConf 2022 : Dependency management Roberto Perez Alcolea
Devnexus 2021 Taming Java Dependencies @ Google Stephanie Wang
David Handermann [ exceptionfactory.com ]
Let’s talk about JCenter
JCenter repository end-of-life
None
“At the end of the sunset, all JCenter requests will
automatically be redirected to Maven Central and served from there.”
Forcing gradle to check for updated versions ./gradlew build --refresh-dependencies
None
None