Dependency Management for Java - Seattle 2025-11-18

Transcript

1. None

2. About me Portland Oregon Java since 1996 open source contributor

3. None

4. 🟢 hundreds of libraries on the classpath 🟢 open source

   libraries 🟢 internal libraries Modern Java applications

5. What is the worst that could happen? Outdated libraries on

   your production classpath
6. None

7. 2017 US House committee Equifax CEO US Rep Greg Walden

8. 2017 US House committee US Rep Greg Walden “the Apache

   Struts software which contained the vulnerability that led to this breach was running on the Equifax system”

9. Greenfield project

10. Java dependency conflicts

11. Gradle blog November 2019 “The larger the project and its

    dependency graph, the harder it is to maintain”

12. “Dependency issues can cause many problems” Gradle blog November 2019

13. “If you are lucky, you would get a compile time

    error” Gradle blog November 2019

14. “it is common to only see problems occurring when executing

    tests or even at production runtime” Gradle blog November 2019

15. NoClassDefFoundError ClassNotFoundException

16. NoSuchMethodError NoSuchFieldError

17. UnsatisfiedLinkError AbstractMethodError

18. Let’s talk about dependency resolution

19. dependencies { implementation( “foo:liba:1.5.2” ) implementation( “foo:libz:0.2.1” ) implementation( “com.google.guava:guava:28.2”

    ) }

20. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

21. liba 1.5.2 app 1.0.0 libz 0.2.1 guava 19.0 guava 33.4.8

    guava 28.2

22. Maven: “nearest wins” Gradle: “highest version wins” guava 28.2 guava

    33.4.8

23. Jake Wharton - March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

24. “Maven’s dependency resolution strategy is objectively bonkers” Jake Wharton -

    March 2024 https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

25. Java classpath

26. what Java libraries do you have in production right now?

27. do you have outdated libraries in production?

28. do you have SNAPSHOT libraries in production?

29. Microservice app:1.5.2 sharedlib:1.8.3 swagger-annotations:2.2.31-SNAPSHOT

30. “Let’s add one more Java library ” Java library

31. None

32. Dependency Hell

33. Dependency Hell is a common problem

34. Dependency Hell @ gilt.com (2015)

35. Dependency Hell @ Netflix (2017)

36. Taming dependency hell

37. Pin dependency to a specific version?

38. configurations.all { resolutionStrategy { force 'com.example:foobar:0.9.2' } }

39. Mike McGarr Netflix, 2017

40. Gradle User Guide

41. “Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility

    issues” Gradle User Guide

42. Gradle User Guide

43. Gradle User Guide

44. Gradle User Guide

45. Gradle User Guide

46. Gradle User Guide

47. Google JLBP

48. Google JLBP “Google Best Practices for Java Libraries are rules

    that minimize problems for consumers of interconnected Java libraries“ jlbp.dev

49. JLBP-1 Minimize Dependencies “Scrutinize all dependency additions”

50. JLBP-1 Minimize Dependency Scope “When you do add a dependency,

    keep it scoped as narrowly as possible”

51. JLBP-1 “Prefer JDK classes where available” “For any given functionality,

    pick exactly one library”

52. JLBP-1 Separate the tool classpath from the product classpath

53. JLBP-11 Keep dependencies up to date

54. JLBP-11 “Release no later than 6 weeks after any of

    your dependencies releases a higher version”

55. JLBP-11 “Staying up to date is also important to ensure

    that security fixes are rolled out promptly”

56. JLBP-15 Publish a BOM for multi-module projects

57. JLBP-16 Ensure upper version alignment of dependencies for consumers

58. JLBP-16 “The version of each dependency added to the classpath

    should the highest version in the dependency tree”

59. Common problems with Java dependencies

60. Compilation failure [ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9. 2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class) [ERROR] class

    file has wrong version 55.0, should be 52.0

61. class file has wrong version 61.0, should be 52.0

62. Dependency misalignment jackson-databind:2.19.2 jackson-core:2.19.0

63. Scala sadness jackson-module-scala_2.12-2.19.2.jar jackson-module-scala_2.13-2.19.2.jar 🚩 what if both of these

    jars are on the classpath?

64. 🔵 dependencyConvergence 🔵 requireUpperBoundDeps 🔵 banDuplicateClasses Maven Enforcer plugin

65. Gradle Enforcer plugin

66. Let’s talk about OpenRewrite

67. OpenRewrite recipes 🟢 AddDependency 🟢 RemoveDependency 🟢 ChangeDependency 🟢 UpgradeDependencyVersion

68. Let’s talk about Jackson

69. Real world scenario Jackson 2.x → Jackson 3.x

70. Jackson library

71. Jackson upgrade demo

72. GitHub Copilot Agent

73. GitHub Copilot Agent

74. OpenRewrite recipe

75. Final thoughts

76. 🟢 Build often 🟢 Release often 🟢 Ownership 🟢 consider

    OpenRewrite for complex migrations

77. Questions?

78. The End

79. Bonus

80. Let’s talk about Netty

81. Netty dependencies 🔵 some Netty artifacts are platform dependent 🔵

    use artifact classifiers

82. Example: artifact <classifier> Linux x86

83. Linux ARM 64 Example: artifact <classifier>

84. DPE Summit 2025: From Lag to Lightning Aubrey Chipman and

    Roberto Perez Alcolea

85. JConf 2022 : Dependency management Roberto Perez Alcolea

86. Devnexus 2021 Taming Java Dependencies @ Google Stephanie Wang

87. David Handermann [ exceptionfactory.com ]

88. Let’s talk about JCenter

89. JCenter repository end-of-life

90. None

91. “At the end of the sunset, all JCenter requests will

    automatically be redirected to Maven Central and served from there.”

92. Forcing gradle to check for updated versions ./gradlew build --refresh-dependencies

93. None
94. None