Sean Sullivan

Community Over Code

September 2025

Dependency Management

for Java applications

About me

Portland Oregon

Java since 1996

open source contributor

​

Outdated libraries

on your

production classpath

​

What is the worst

that could happen?

2017 US House committee

Equifax CEO

US Rep Greg Walden

2017 US House committee

US Rep Greg Walden

“the Apache Struts software

which contained the vulnerability

that led to this breach

was running

on the Equifax system”

Java

development

Java dependency

conflicts

Gradle blog

November 2019

“The larger the project and its dependency graph, the harder it is to maintain”

“Dependency issues

can cause

many problems”

Gradle blog

November 2019

“If you are lucky,

you would get a

compile time error”

Gradle blog

November 2019

“it is common to only see problems

occurring when executing tests

or even

at production runtime”

Gradle blog

November 2019

NoClassDefFoundError

ClassNotFoundException

NoSuchMethodError

UnsatisfiedLinkError

Let’s talk about dependency

resolution

​

dependencies {

implementation(“foo:liba:1.5.2”)

implementation(“foo:libz:0.2.1”)

implementation(“com.google.guava:guava:28.2”)

}

​

liba

1.5.2

app

1.0.0

libz

0.2.1

guava

19.0

guava

33.4.8

guava

28.2

liba

1.5.2

app

1.0.0

libz

0.2.1

guava

19.0

guava

33.4.8

guava

28.2

Maven:

​

“nearest wins”

​

​

Gradle:

​

“highest version wins”

​

​

​

guava

28.2

guava

33.4.8

Jake Wharton - March 2024

https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

​

“Maven’s dependency

resolution strategy

is objectively bonkers”

​

Jake Wharton - March 2024

https://jakewharton.com/nonsensical-maven-is-still-a-gradle-problem/

Java classpath

what Java libraries do you have

in production

right now?

do you have outdated libraries in production?

do you have SNAPSHOT libraries in production?

Microservice

app:1.5.2

​

sharedlib:1.8.3

​

swagger-annotations:2.2.31-SNAPSHOT

• hundreds of libraries on the runtime classpath

​

• open source libraries + internal libraries

​

• Java, Kotlin, Scala

​

Modern Java applications

“Let’s add one more Java library ”

Java library

Dependency Hell

Dependency Hell

is a

common problem

Dependency Hell

@ gilt.com (2015)

Dependency Hell

@ Netflix (2017)

​

Gradle’s optimistic dependency resolution may inadvertently upgrade dependencies, causing compatibility issues.

​

Taming dependency hell

Pin dependency

to a specific version?

​

configurations.all {

resolutionStrategy {

force 'com.example:foobar:0.9.2'

}

}

​

Mike McGarr

Netflix, 2017

Google JLBP

​

“Google Best Practices for Java Libraries are rules that minimize problems for consumers of interconnected Java libraries“

​

jlbp.dev

JLBP-1

​

Minimize Dependencies

​

“Scrutinize all dependency additions”

​

JLBP-1

​

Minimize Dependency Scope

​

“When you do add a dependency, keep it scoped as narrowly as possible”

​

JLBP-1

​

“Prefer JDK classes where available”

​

“For any given functionality, pick exactly one library”

JLBP-1

​

Separate the tool classpath from the product classpath

​

JLBP-11

​

Keep dependencies up to date

​

JLBP-11

​

“Release no later than 6 weeks after any of your dependencies releases a higher version”

​

JLBP-11

​

“Staying up to date is also important to ensure that security fixes are rolled out promptly”

​

JLBP-15

​

Publish a BOM for multi-module projects

​

JLBP-16

​

Ensure upper version alignment of dependencies for consumers

​

JLBP-16

​

“The version of each dependency added to the classpath should the highest version in the dependency tree”

​

Common problems

with Java dependencies

Compilation failure

​

[ERROR] bad class file: /Users/skywalker/.m2/repository/org/apache/iceberg/iceberg-api/1.9.2/iceberg-api-1.9.2.jar(org/apache/iceberg/IcebergBuild.class)

​

[ERROR] class file has wrong version 55.0, should be 52.0

​

​

class file has

wrong version 61.0,

should be 52.0

​

Dependency misalignment

jackson-databind:2.19.2

jackson-core:2.19.0

Scala sadness

jackson-module-scala_2.12-2.19.2.jar

jackson-module-scala_2.13-2.19.2.jar

🚩 what if both of these jars are on the classpath? 🚩

​

• dependencyConvergence
• requireUpperBoundDeps
• banDuplicateClasses

Maven Enforcer plugin

Gradle Enforcer plugin

Gradle Enforcer plugin

✅ DependencyConvergence

Let’s talk about OpenRewrite

OpenRewrite recipes

​

• AddDependency
• RemoveDependency
• ChangeDependency
• UpgradeDependencyVersion

Final thoughts

​

• Build often
• Release often
• Ownership
• consider OpenRewrite for complex migrations

Questions?

The End

Bonus

Let’s talk about Netty

Netty dependencies

• some Netty artifacts are platform dependent

​

• use artifact classifiers

Example: artifact <classifier>

Linux x86

Linux ARM 64

Example: artifact <classifier>

Devnexus 2021

Taming Java Dependencies @ Google

Stephanie Wang

JConf 2022 : Dependency management

Roberto Perez Alcolea

David Handermann [ exceptionfactory.com ]

Let’s talk about JCenter

JCenter repository

end-of-life

​

“At the end of the sunset, all JCenter requests will automatically be redirected to Maven Central and served from there.”

​

Forcing gradle to check

for updated versions

​

./gradlew build --refresh-dependencies

​