When you work in a team, you may come across a situation when somebody pushes changes to a file you are currently working on. If these changes do not overlap, the conflicting files are merged automatically. However, if the same lines were affected, Git cannot randomly pick one side over the other, and asks you to resolve the conflict. In this screencast, we’re going to take a look at resolving merge conflicts.
Open source software is everywhere. Most likely you are using some open source projects either at work and/or in your side projects.
Pros and cons of using dependencies
One of the upsides of using Java as a programming language, is that there are libraries and frameworks available to do many of the things we want to do in our projects, but don’t necessarily want to write ourselves. Using existing libraries and frameworks helps us deliver business value faster.
Unfortunately, there are also downsides to using external dependencies. The most dangerous being when security vulnerabilities are found in libraries many of us use, like the Log4Shell vulnerability in the log4j logging library that was disclosed in December 2021 and the Spring4Shell vulnerability in Spring in March 2022. These vulnerabilities were so severe that we had to patch all our services ASAP. Even if the version of a dependency you use does not have any known vulnerabilities, you might need to update them for other reasons.
In addition, adding dependencies to your project also has an impact on the size of your binary. For example, Brian Vermeer has created a demo to show the number of lines of code written versus number of lines pulled in by Spring. Granted, he admits that “this was the most useless Rest endpoint you could ever write”, but this demo clearly shows how the code pulled in by dependencies can overshadow to amount of code you write yourself.
A balancing act
This means we have to think carefully about which dependencies we want to use. Some developers try to add little or no external dependencies to their projects. This is one way to avoid the downsides mentioned above. Another argument may be that it gives you more control over the code in your project. Of course, the downside here is that you have to write everything yourself, which might not always be the best idea. For example, I’d rather use JUnit and Mockito than write my own testing and mocking frameworks. On the other hand, we shouldn’t just add any library or framework, as we’ll have to not only implement them now, but also maintain them over time. Or even remove them in the future, which is not always easy. Some projects, like Lombok or Reactor, will be present throughout your code base and hard to remove should you ever want to (for example, when moving to Kotlin & coroutines).
Most of us will be somewhere in the middle; we don’t want to write everything ourselves, and we will use certain frameworks and libraries that offer us some useful functionality, but we also want to make sure we can continue to maintain our project without having to (urgently) update dependencies or rewrite our code because something is vulnerable or otherwise outdated.
What to consider when selecting dependencies for your project
The best time to check your dependencies is before you add them. The second-best time is now. So take a critical look at any dependencies you’re adding or already using and consider the following:
Do we really need this dependency?
To make it worth it to use a dependency, it has to solve our problem and do so without adding new problems. We need to consider if the project fits our needs. We can do so by reading the documentation, and by seeing what experience other users already have with a particular tool. Keep in mind that, just because other users are enthusiastic about a particular library, that doesn’t necessarily mean it’s right for you. Their context or use case might be different from your own. There might be other libraries out there offering similar functionality that are a better fit for your project.
Also consider how much of the library you’ll actually use. If it is only a small part, consider other solutions. For example, do we really need to import StringUtils to use it for one or several String functions, or can we write them ourselves? (And, if we moved to Kotlin since then, we might be able to replace them with standard Kotlin functionality.) Or are we already using another library for this particular problem? For example, we won’t need gson if we are already using jackson (or vice versa)?
Is the project well maintained?
If a project is no longer maintained, we run the risk of having to urgently replace it if security vulnerabilities are found. To see if a project is actively maintained, you can check when the last release was, and how frequently new versions come out; you can find this information for example on Maven repository. You can also check when the last commit was, and whether the project is maintained by one person, or a group of active maintainers. A project that depends on one particular person runs the risk of becoming unmaintained if that person no longer has the time and energy to maintain that project. Maintaining a successful open source project can be a thankless task and maintainer burnout is real. With multiple maintainers the load and risk can be shared. You might want to look into how many open Issues and Pull Requests (PR) there are, and the interaction on those Issues & PR’s. You can find this information on GitHub or wherever the code for the project is kept.
How popular is the project?
A popular project might have more stars, watches and forks on GitHub. Although these metrics don’t necessarily mean that people are using it; they might have starred it to try it out later. These metrics might be useful when comparing similar tools, but not necessarily when comparing different tools.
A widely used project will likely have more people talking and writing about it. Having a large number of users means more people who are able to help out others. It also means there are more potential contributors, but unfortunately a high number of users doesn’t always translate to a high(er) number of contributors. And just because a project is popular doesn’t mean it’s right for you.
What is the community like?
Consider whether the community is friendly and welcoming. How do they interact with their users and (potential) committers? How do they respond when issues are reported? Do they review PR’s quickly and offer constructive feedback? Friendly maintainers often make for a more friendly community. They might be active in official support channels like Slack, Gitter or mailing lists, or help answer questions on StackOverflow, write talks and blog posts or find other ways to share their knowledge.
Is it easy to use?
Finally, consider whether the project easy to implement & use, and whether you like using it. Developers have personal preferences with regard to almost everything in software development, including which tools they like to use. If a popular framework doesn’t work for you, and you have options, choose something else! Part of whether a project is easy to use might include how well documented a project is. Good documentation can help make it easier to use. Consider looking at the official documentation, as well as blogs and content created by users. The official documentation will (hopefully!) explain how a project is meant to be used.
What is the latest stable version? Are there any open vulnerabilities?
Once you’ve decided to import a dependency, make sure to add the latest stable version. We don’t want to add an older or unstable versions that we then have to update. And we definitely don’t want to import a dependency that has known vulnerabilities that have not (yet) been fixed! We want to keep our software secure and maintainable.
Where to find this information
As mentioned, there are several places where we can look for information about a dependency we are considering. One is Maven repository where we can find open source packages, their versions, whether there are any known vulnerabilities and more.
For example, when we look at Jackson Databind on Maven repository we see a list of versions and their release dates, we see the number of usages by other artifacts for each version, and we see a warning in red for versions with known vulnerabilities.
When we look at the details of a version with known vulnerabilities (Jackson Databind v2.13.2 in this example), we see the CVE number for this vulnerability which links to the details for this CVE). There is also a warning in yellow that there is a new version for this artifact with the link to that version.
Another is to find the project’s code on GitHub, to look at the code itself, see when the latest commit was, look at open Issues and PR’s, and check Insights for more details on contributors, frequency of commits and other activity.
We can look for official documentation and read (or at least scan) it to see whether the project is a good fit for us, and whether it is well documented. Other information might take a bit more effort to find: Go into the support channels and ask questions. Search for blog posts (or YouTube videos, if you prefer) and other places where you can find information. We might even check StackOverflow to see whether there is a tag for this dependency, how many (open) questions there are, etc.
JetBrains has created a Package Search website that can be used to search for Java and Kotlin libraries and get a lot of this relevant information, including the latest (stable) version, links to relevant tags on StackOverflow, links to the official docs and the code, and if the project is on GitHub the number of stars, watchers and forks on the Information tab. A list of versions (similar to the one on Maven repository) can be found on the Versions tab.
Carefully consider which dependencies to use, taking into account at least some of the things we have discussed here. The best time to do so is before you start using them. But don’t forget to periodically check the dependencies in your existing codebase to see if you still use them, and still want to use them based on the considerations above. Don’t be afraid to remove them if they no longer bring you value.
In this blog post, we will look at some standard Maven commands that can help us manage our dependencies and keep them up to date. These are useful to see both direct and transitive dependencies used in the project, look for version updates of dependencies and plugins, and look for unused dependencies that may be removed. All of these can be useful to keep our dependencies up to date.
Pre-requisites
For the examples in this post, we are using the following tools and versions:
IntelliJ IDEA Community Edition 2022.2.1 – which you can get here
Example project from GitHub (Note: this is an outdated & unmaintained project, which makes it useful to show how to find outdated dependencies)
Maven 3.8.6 (optional, see note below) – Install Maven
Note: Maven wrapper
The project we are using in this example includes a Maven wrapper. If the project you are working on does not have a Maven wrapper, you will need to have Maven installed on your local machine. To add Maven wrapper to your project, run the following command in your terminal: mvn wrapper:wrapper and commit the result. Now anyone who uses the project can use the Maven wrapper without having to install Maven locally, and using the same Maven version.
Using Maven to display dependency updates
We can use Maven to check if there are updates available for the dependencies we are using in our project. Run the following command in your terminal: ./mvnw versions:display-dependency-updates.
This will display a list of dependencies for which newer versions have been found.
As you can see, there are quite a few dependencies that need to be updated in this project. The reason is that this is an old project that was created from a tutorial years ago and not maintained since. The upside is that it is a great project to use as an example for finding outdated dependencies.
Using Maven to display plugin updates
The same is possible for plugins. Check which plugins can be updated by running the following command in your terminal: ./mvnw versions:display-version-updates.
On the example project, this provides the following result:
This project doesn’t really use a lot of plugins. Your actual projects might, so I wanted to include this command here.
Overview of dependencies: dependency-tree
To see all the dependencies you are using in your project, run the following command in your terminal: ./mvnw dependency:tree. This will return a list of the dependencies declared in this project, and their transitive dependencies:
Of course, you can also find the declared dependencies in your pom.xml, but it’s good to have an idea of which transitive dependencies they bring in.
Filtering the dependency tree
The dependency tree for this example project is rather small, like the project itself. Your actual projects at work might be much bigger. If needed, you can filter the dependency tree.
To check where a specific dependency is coming from, use the following command: ./mvnw dependency:tree -Dincludes=<groupId>:<artifactId> containing the groupId and artifactId of the dependency you are looking for.
For example, if we would like to see where this project is getting the slf4j dependency, we would run ./mvnw dependency:tree -Dincludes=org.slf4j:slf4j-api. We see that we get this transitive dependency through Hibernate:
For more information on filtering the dependency tree, see the Maven documentation.
Effective pom
The effective pom is the POM that results from the application of interpolation, inheritance and active profiles. To generate the effective POM, run the following command in your terminal: ./mvnw help:effective-pom.
When running this command on the the example project, the result will be fairly small, because it is a relatively small project. For a large project, the effective pom will be much bigger. If needed, you can write the effective POM into a log file using the following command: ./mvnw help:effective-pom --log-file log.txt.
Use Maven to find unused dependencies
We can also use Maven to find unused dependencies. Run ./mvnw dependency:analyze on the example project gives us the following results:
We see that we have “Used undeclared” dependencies, like org.springframework:spring-beans. If we search for that dependency, by filtering the dependency tree for that particular dependency using ./mvnw dependency:tree -Dincludes=org.springframework:spring-beans we see that it is a transitive dependency from Spring-webmvc:
We also see some “Unused declared” dependencies. If these are dependencies you truly don’t need, it might be a good idea to remove them from your pom.xml. (Note: In this example, JUnit is unused because the tutorial this project is based on didn’t include any tests. If that is the case for your project, consider adding tests instead of removing this dependency!)
Conclusion
Maven offers several ways to help us keep our dependencies up to date. Using the commands above can help us to keep the dependencies we need up to date, and to remove the dependencies we no longer need.