The Art of Cherry Picking

Oops, you committed your code to the wrong branch… You could redo the work, but you don’t want to! Luckily, the IDE can help you move your commit to a different branch. Use Git’s cherry-pick option from your IDE to move changes over to a different branch in a quick, low-stress way.

The Art of Cherry Picking


Using bots to keep our dependencies up to date

Any real world Java project will likely use external dependencies. As we’ve seen over the last few years, it’s important to keep these dependencies up to date. We used to have to manually check for updates, but fortunately these days there are tools available that can help us with this. Because, let’s be honest, most developers don’t enjoy maintaining applications. We’d much rather be using cool new tools and/or language features, and solving interesting problems. Sorry, I mean: delivering business value! But we are responsible for keeping our dependencies up to date, so let’s make that as easy as possible. In this blog post we will look at one category of tools that can help us: bots that can automatically create pull requests (PRs) to keep dependencies secure and up to date. 

For Java, we currently have three options: Dependabot, Renovate and Snyk Open Source. They each support other programming languages too, but as I mostly use Java and other JVM languages I have limited myself to these. Let’s take a look at which features they provide and their similarities and differences.

Sidenote: In order to try out and compare these bots, I’ve added them one by one to my personal GitHub profile and will describe here how to add them to your GitHub profile, as well as link to information about other integration options.


The first bot we will look at is Dependabot. Since Dependabot is GitHub native, we can enable most of its features from the Settings > Security > Code security and analysis. Here we can enable (or disable) the available features, and select which ones we would like to automatically enable for new repositories. 

Dependabot settings on GitHub
Dependabot settings on GitHub


Dependabot offers the following features: Alerts, security updates and vulnerability updates. 

When Dependabot is enabled, it provides a Dependency Graph under the Insights tab of your project. The Dependencies tab shows any alerts to the owner of the repository. The Dependents tab shows any projects that depend on your project. In the Dependabot tab version updates can be configured.

When we enable Dependabot alerts, we will receive alerts for vulnerabilities in our repositories and we can manually generate pull requests (PRs) to resolve them. We can configure how we would like to receive these alerts. We can also view them in the Dependency Graph in the Dependencies tab.

GitHub project Insights tab with the Dependabot Dependencies graph Dependencies tab open and yellow alert stating We found potential security vulnerabilities in your dependencies.
Dependabot Dependencies graph

We can click the button to View Dependabot alerts to see more information about the alerts.

Details of Dependabot alerts on GitHub, listing several Critical updates
Dependabot alerts

Pull requests

When we enable Dependabot security updates, Dependabot will open pull requests (PRs) automatically to resolve vulnerabilities. These PRs provide information about the severity of the vulnerability, CVSS base metrics, and CVEs. We can hover over the CVSS base metrics and CVEs to get more information. We can review the changes, or dismiss the alert.

Dependabot pull request for a security update on jackson-databind with information about the vulnerabilities found.
Dependabot security update

To enable version updates, you need to add a dependabot.yml file to your repository.


In this configuration file, you need to provide the package manager, the directory that contains your manifest file and a scheduling interval (daily, weekly, or monthly). You can configure more options, like when it should be scheduled (date, time, timezone), the maximum number of PRs (the default is 5), rebase strategy, settings that can help you manage the PRs like target branch, assignees, reviewers, commit messages and labels, and more. For more information on configuration options, see the Dependabot documentation on configuration.


While Dependabot is GitHub native, it is possible to run it locally or on GitLab too. 


Like Dependabot, Renovate offers security updates and version updates. In addition, Renovate will also create a project dashboard listing all updates needed on a particular project.

Renovate is available on GitHub via a GitHub app. To configure Renovate for your GitHub account, go to Renovate allows you to set Repository access to either All repositories or Only select repositories. Renovate is the only one of these three options that allows you to try it out on only one repository first, so if you’ve never used one of these bots, I’d recommend starting with Renovate on one repository.

Install Renovate on your personal account with the option to select All repositories or Only select repositories.
Install Renovate

Renovate will create an onboarding pull request to the selected repositories. The onboarding PR contains basic configuration for Renovate to run. It describes the configuration in a Configuration Summary, and provides some information about What to Expect when the PR is merged (in this example, a list of PRs that will be opened).

Renovate onboarding PR with Configuration Summary
Renovate Onboarding PR
What to Expect section of Renovate's onboarding PR listing which PRs will be opened.
Renovate What to Expect
Renovate basic configuration
Renovate basic configuration

Note: These screenshots were taken from the PR created in September 2022. It may have changed since then.


Renovate offers additional configuration options. In addition to setting a maximum number of PRs, Renovate allows you to to set a maximum number of concurrent branches or even an hourly limit, which can help to keep the number of open PRs and branches manageable. Renovate also lets you configure when to rebase (or not), and settings to help you manage the PRs assignees, reviewers, commit messages, labels, and more. Overall, Renovate offers more configuration options, and these options are more fine-grained than Dependabot’s options.

For more information, see the Renovate documentation on configuration options.

Once the onboarding PR is merged and the configuration file is added to your repository, Renovate will start opening pull requests with updates on the selected repositories.

Renovate pull request for jackson-databind security update
Renovate pull request

Pull requests

These PRs contain information about the reason a PR was created including which package was updated, the current and new version, as well as the following information to help you decide whether or not to merge the PR and apply the update (apart from your build being green).

  • Age: The age of the package
  • Adoption: The percentage of this package’s users (within Renovate) which are using this release
  • Passing: The percentage of updates which have passing tests for this package
  • Confidence: The confidence level for this update

For more information, see the Renovate documentation on merge confidence.

Auto merging PRs

In addition, Renovate offers the option for rule based auto merging of PRs; a feature that lets you automate upgrading dependencies. When auto merging is enabled, Renovate tries to merge the proposed update once the tests pass. Renovate recommends that you enable auto merge only for any type of dependency updates which you would just merge anyway, and keeping auto merge disabled for updates where you want to review the release notes and/or code before merging. Of course, great test coverage is also very helpful here! Renovate is currently the only of these three options that offers this feature.


Finally, Renovate will add a Dependency Dashboard to your project, listing all Renovate updates and detected dependencies. This dashboard can be enabled or disabled as desired. 

GitHub project Issues tab with a Renovate Dependency Dashboard link
Renovate Dependency Dashboard
Renovate project Dashboard with a list of all outdated dependencies that can be updated.
Renovate project Dashboard

In addition, Renovate provides a general dashboard with all projects & jobs run, which you can find under if you have Renovate enabled.


Note: If you are not using GitHub, Renovate currently also supports other platforms. For more information, see the Renovate documentation on supported platforms.

Snyk Open Source

Snyk Open Source is available from Snyk. There are more steps to enable it for your GitHub Profile, but it also offers more features. To enable Snyk Open Source, go to and select Start free. You will need to Authorize snyk on your GitHub profile, select repository access (either Public and private repos or Public repos only), select other available features you want to use, and provide a Personal access token on GitHub.

Snyk Open Source website with the option to Start free
Snyk Open Source Start free


In addition to security updates, version updates, and dashboards, Snyk Open Source offers to test for new vulnerabilities and/or test for vulnerabilities in source code. These options are currently not offered by Dependabot or Renovate. As this blog post focussed on tools to help you detect possible vulnerabilities in your dependencies and automatically create PRs to upgrade them, we will not look at scanning the source code for vulnerabilities here.

Snyk Open Source screen to Select GitHub repository access for Public and private repos or Public repos only with additional features to select
Snyk Open Source GitHub repository access and additional features

Pull requests

When enabled, Snyk Open Source will open PRs on the selected repositories. These PRs also include information about the reason for the PR, severity of a vulnerability, priority score and why it has this score, details of the version upgrade (current and new version), and more.

Snyk Open Source pull request for jackson-databind with information about the vulnerability found.
Snyk Open Source pull request

By default, Snyk Open Source will combine related updates into one single PR to help reduce the noise. Dependabot does not currently offer this option, while Renovate can be configured to do something similar.

Snyk Open Source pull request that bundles several updates.
Snyk Open Source combined PR

Snyk Open Source also has the option to test for new vulnerabilities. When enabled, incoming PRs will be checked for known vulnerabilities to make sure that no known vulnerabilities are added to the code base. Dependabot and Renovate do not currently offer this feature.

GitHub screen saying All checks have passed including a Snyk Open Source security test has passed
Snyk Open Source security test on PRs


We can configure the frequency with which Snyk Open Source should run (daily, weekly, never). We can enable or disable scanning for new and/or known vulnerabilities, so we can clear our backlog of known vulnerabilities separately from making sure we don’t get any new vulnerabilities. This might help getting started with updating outdated dependencies without getting overwhelmed with too many updates. Dependabot and Renovate do not currently offer this option. Finally, we can also enable or disable PRs for a single project, so we can start using Snyk Open Source on a single project like we can with Renovate, but this is not a default option. 


The dashboards offered by Snyk Open Source are the most extensive of these three options. The dashboards provide an overview of known vulnerabilities found in your repositories with the number of vulnerabilities and their severity visible per project and overall.

Snyk Open Source Dashboard listing pending tasks and vulnerable projects and an issues summary, listing number and severity of vulnerabilities found.
Snyk Open Source Dashboard


You can use Snyk Open Source in the Snyk Web UI, with the Snyk CLI, in your IDE, or with an API. For more information, see the Snyk Open Source documentation.


As we have seen, the different bots offer different features. All of the options discussed here can automatically open pull requests for vulnerable dependencies and version upgrades. The information they provide with these PRs differs, as do the number and type of configuration options. Which bot is right for you will depend on needs and preferences.

Links / sources:

Using bookmarks in IntelliJ IDEA

In this blog post, we’re going to take a look at using bookmarks in IntelliJ IDEA. Bookmarks can come in handy while navigating a codebase, when you see something interesting that you want to come back to later. You could use Recent Files (⌘E on macOS, or Control+E on Windows/Linux) to find it, but then you have to remember which file it was. This is where bookmarks come in handy. Let’s take a look!

Add anonymous bookmarks

We can bookmark a line by pressing F3 (on macOS) or F11 (on Windows/Linux). This shortcut creates an anonymous line bookmark, marked with a Bookmark icon. If we don’t remember the shortcut, we can right-click the gutter next to the line of code we want to bookmark and select Add Bookmark.

Anonymous bookmark
Add bookmark from gutter menu

We can also bookmark files, packages, folders, and modules. We can open the Project Tool Window (⌘1 on macOS, or Alt+1 on Windows/Linux) and add an anonymous bookmark. We can use the shortcut (F3 on macOS, or F11 on Windows/Linux) or, we can also right-click the item we want to bookmark, and select Bookmarks | Add Bookmark. Note that anonymous bookmarks don’t have an identifier, and we can create as many anonymous bookmarks as we like.

Bookmark a project item

Add mnemonic bookmarks

We can also create bookmarks that are assigned to a digit (0 to 9) or letter (A to Z). To add a mnemonic line bookmark, press ⌥ F3 (on macOS) or Control+F11 (on Windows/Linux) and press the digit or letter to use as an identifier for this bookmark. Again, we can also or right-click the gutter next to the line of code that you want to bookmark and select Add Mnemonic Bookmark.

Add mnemonic bookmark menu

Optionally, we can provide a description for the new bookmark. We can double-click the digit or letter we want to assign.

Add mnemonic bookmark

Lines marked with mnemonic bookmarks have the corresponding digit or letter icon in a frame.

Mnemonic bookmark

If the selected digit or letter is already in use, IntelliJ IDEA will ask you whether you want to overwrite an existing bookmark with the new one. When we select the Don’t ask again option, the IDE will silently overwrite mnemonics.

Rewrite mnemonic

Navigate to bookmarks

There are several options to navigate to the bookmarks we have created.

Show line bookmarks

To see all line bookmarks that we have in the code, we can open the Bookmarks popup by pressing ⌘ F3 (on macOS) or Shift+F11 (on Windows/Linux) or go to Edit | Bookmarks | Show Line Bookmarks.

Show Line Bookmarks shortcut
Show Line Bookmarks menu

Notice that this list does not contain any project items like files or classes that we have bookmarked. In the Bookmarks popup, we can select the bookmark we want to navigate to, either with up and down arrows and pressing Return (on macOS) or Enter (on Windows/Linux), or by double-clicking it with our mouse. For mnemonic bookmarks, we can select the corresponding digit or letter.

Bookmarks popup

Jump to mnemonic bookmark

To jump straight to a mnemonic bookmark, hold ^ (on macOS) or Control (on Windows/Linux) and press the mnemonic digit or letter on the keyboard. This doesn’t work with anonymous bookmarks, but we can assign a mnemonic to an existing anonymous bookmark, either using the shortcut, or by clicking the bookmark in the gutter and selecting Assign Mnemonic. This works in the Bookmarks popup too!

Go to Bookmark
Assign Mnemonic

Bookmarks tool window

To see all our bookmarks, we can open the Bookmarks tool window by pressing ⌘ 2 (on macOS) or Alt+2 (on Windows/Linux), or by selecting View | Tool Windows | Bookmarks from the main menu.

Open Bookmarks tool window (shortcut)
Open Bookmarks tool window menu

IntelliJ IDEA adds your bookmarks to the predefined list in the Bookmarks tool window that is created automatically and has the same name as the project. In this example, multiple bookmarks in the same file are grouped together. We can also turn that off in the Options menu, by deselecting Group Line Bookmarks by File. As we can see, there are several other options as well. We won’t dive into all of them, but be aware there are some options you can configure to your liking.

Bookmark tool window options

Bookmark lists

Another option we do want to show you here is that you can create more lists. We can add a new list using the shortcut (⌘ N on macOS or Alt+Insert on Windows/Linux) or by clicking the Create Bookmark List button. We can add a name for the new list.

Create Bookmark List

If there are multiple lists, and we create a new bookmark, we can select which list to add it to in the Add Bookmark popup. We can also select the list to use as the default by checking the option Use as default list.

Select Bookmark List

In the Bookmarks tool window, we can move bookmarks to another list by dragging them to the other list. And we can sort bookmarks by selecting a bookmark and using Move down (⌥ ⌘ ↓ on macOS, or Control+Alt+↓ on Windows/Linux) or Move up (⌥ ⌘ ↑ on macOS, or Control+Alt+↑ on Windows/Linux).

Move down

Fun fact: The Bookmarks tool window also shows all breakpoints that are automatically added to the dedicated list once you place them in your code.


Bookmark editor tabs

Finally, we can also bookmark editor tabs. Click the  to the right of the tabs and select Bookmark Open Tabs. We can enter a name for this list in the Create Bookmark List popup.

Bookmark Open Tabs
Create Bookmark List popup

Summary and Shortcuts

As we’ve seen, bookmarks allow us to “save” certain interesting locations in the code base, so we can easily go back to them later. Now we know how to create bookmarks and how to navigate to bookmarks we have created.

IntelliJ IDEA Shortcuts Used

Here are the IntelliJ IDEA shortcuts that we used.

NamemacOS ShortcutWindows / Linux Shortcut
Recent files⌘ ECtrl+E
Open / Close Project Tool Window⌘ 1Alt+1
Add anonymous bookmarkF3F11
Add mnemonic bookmark F3Ctrl+F11
Open bookmarks popup⌘ F3Shift+F11
Jump to mnemonic bookmark^ + mnemonicCtrl+mnemonic
Open Bookmarks Tool Window⌘ 2Alt+2
Create Bookmark List⌘ NAlt+Insert
Move down⌥ ⌘ ↓Ctrl+Alt+↓
Move up⌥ ⌘ ↑Ctrl+Alt+↑
Shortcuts used

Related Links

Using bookmarks in IntelliJ IDEA

When navigating a codebase we might see something interesting that we want to come back to later. This is where bookmarks can come in handy. Let’s take a look!

We can bookmark a line by pressing F3 (on macOS) or F11 (on Windows/Linux). This shortcut creates an anonymous line bookmark, marked with a Bookmark icon. If we don’t remember the shortcut, we can right-click the gutter next to the line of code we want to bookmark and select Add Bookmark.


  • (documentation) JetBrains IntelliJ IDEA – Bookmarks
  • (guide) JetBrains IntelliJ IDEA Guide – Bookmarks
  • (documentation) JetBrains IntelliJ IDEA –Breakpoints

Benefits of joining a Code Reading Club

Several months ago I heard or read about Code Reading Club for the first time. It might have been a tweet by Felienne Hermans, or it might have been in her excellent book The Programmer’s Brain, but I was intrigued. As a developer, I’ve often wondered what would be the best way to familiarise myself with a new codebase, or the best way to really understand what a specific piece of code does. Of course, I’ve learned several techniques over time, but the idea to deliberately practice reading code? Brilliant! So imagine my surprise when my friend Lisi Hocke reached out to ask me if I would be interested in joining her Code Reading Club. Well, yes!!

Online tooling

The club consists of several members in different countries and even different time zones and takes place online. We decided on a day and time that works for us, and use collaborative tools like Miro or Jamboard for our sessions.
This means everyone needs to make sure to have the code sample printed, or have a digital copy they can annotate with a digital tool. (And no, this is not supposed to be an IDE or editor with syntax highlighting, as part of the exercises is to look at the structure of the code.)


All of our sessions so far have used the same exercises, using a different code sample (in a different language) each time. The exercises are taken from the starter kit.

The first session was very well prepared with a Miro board that contained everything we needed for the online session. The board contained the exercises, the code example and (where needed) space for us to place virtual post-its with our comments.


We started our first session with a round of introductions, since not everyone in the group knew each other. We try to repeat that when new people join, as unfortunately not everyone is able to join every session.

Setting the scene

We start each session writing down what we are looking forward to or are excited about, as well as what we are worried or confused about. In the first session these comments were more about our expectations for the Code Reading Club in general.

For example, people mentioned they were excited about the following:

  • Getting used to thinking through problems with unfamiliar tools & languages
  • Understanding how others think about programming
  • Taking advantage of our different experiences to learn more about code
  • Looking forward to learning – both about code and about new people
  • Some people also mentioned specific goals like getting better at code reviews, or improving their coding skills (from reading to writing).

In the next sessions the comments were sometimes more about how we were feeling (from being tired at the end of a long week, to being happy to see each other again) and about our progress in the club (for example, learning from each other, or fearful we’re not picking it up as quickly as we would like). What I love is that people feel safe in the group to share how they feel. And everyone is excited to learn with and from each other, and is supportive of each other.

First glance

The first exercise in code reading is called “First glance”. It literally asks to take a quick (1 minute) look at the code and note the first thing(s) you notice about it, and why. We’ve found that different people notice different things, for example things they are familiar with or confused about.
Some people focus on which language it is, or which programming constructs they recognise, while others focus on naming, whether or not there are comments or even import statements.

What’s also interesting is to talk about why these are the first things you noticed. Do you read the code from top to bottom like you would a piece of text in natural language (like this blog post), or do you scan the code and look at the blocks of code first, before looking at details? Do you focus on known or unknown concepts? All of these are opportunities to learn from each other and look at code differently next time.

Code structure

The next exercise is to examine the structure of the code, or rather its components or elements. We mark the variables, functions/methods, and object instances. It can be very interesting to identify these in a “foreign” programming language! We also draw connections between these elements in the code; for example, linking where a variable is used throughout the code, or a method call to a method.
This exercise is intended specifically to look at the structure of the code, and not its purpose. This turns out to be very hard, especially for people who really like to understand what’s going on! (Don’t worry, we’ll get there!)


Next, we each identify the 5 most important lines of code. We notice that not everybody chooses the same lines, so we also discuss why people chose those lines in particular and learn from each other’s insights. For example, we don’t always have the same understanding of the meaning of “important”; does it mean important for the code to execute, or to understand what the code does? If the former, you might choose a main method as an important line of code. If the latter, you might choose a comment. Other people look at which lines are important for the control flow, or which lines are important to determine what to test (since some of the team members have a testing background).


The last exercise is to summarize the purpose of the code, or to describe what you think the code does to the best of your ability. It is interesting to see whether people have the same understanding of the code or not, but more interesting to see which information they use to get there. What strategies do they use to come to that particular understanding of the code? Which information in the code do they use? Or which knowledge of a particular language or concept? Often there is a lot of tacit knowledge involved. It can be really helpful to notice yourself making implicit assumptions and to make those explicit, not just for yourself but also for others to learn from.
This can also be a good time to explain where the code came from. It might help determine whether you think you’ve understood the code correctly. Although to me the point of the exercise is not to “get it right”, this can be hard for some people, so it can be helpful for the host of the session to provide some context.


Finally, we reflect on the session and what we feel went well or could be improved for next time. One thing we noticed in the first few sessions was that we had to make sure we all had the code ready to annotate it (either printed or in some tool).
Some positive notes were on the structure of the sessions in getting to the meaning of the code, someone who had the opportunity to explain a programming concept or language feature to others, learning with and from each other. Someone commented that having context would help understand the code; they found not knowing frustrating. Someone else said “next time, can we read good code?” which was followed up by someone else who said that since reading an unfamiliar language is hard enough, we should have well structured examples. And while I understand those comments, the hard truth is that unfortunately we have to be able to read code that might be poorly written / structured, so in my opinion it’s good to practice that.


Overall, I really love our Code Reading Club. It is interesting to me to practice reading unfamiliar code and to deliberately practice that skill. But what’s even more interesting is to learn from everybody’s different perspectives, the different interpretations and conclusions based on different backgrounds and knowledge. What is clear or obvious to one person might not be to someone else. Hopefully that insight will translate into code we write in the future to make it clearer to others, as well as provide us with empathy and understanding for the writers of the code we read (in our club or at work). I’d highly recommend trying out a Code Reading session when you get a chance, or even to start your own Code Reading Club.

Package Checker: Find and fix vulnerabilities inside IntelliJ IDEA Ultimate

In this blogpost, we’re going to take a look at the Package Checker plugin, that’s bundled with IntelliJ IDEA Ultimate. We’ll have a look at how to view known vulnerabilities in your Maven or Gradle projects, how to get more information about the known vulnerabilities in a specific dependency and how to remediate these vulnerabilities inside IntelliJ IDEA Ultimate if a new version with a fix is available.

Package Checker plugin

There are several ways to view known vulnerabilities for the dependencies to your project.

View vulnerable dependencies in Maven projects

In a Maven project, all of your project’s dependencies are declared in the pom.xml. When we open the pom.xml file for a project which contains vulnerable dependencies, we see that several dependencies are highlighted.

Maven pom.xml with vulnerable dependencies highlighted

The Package Checker plugin highlights vulnerable dependencies and when we hover over the highlighted dependency, IntelliJ IDEA Ultimate shows all the vulnerabilities that were identified in this particular dependency. When we click on link for the CVE for a particular vulnerability, we’re redirected to the Checkmarx Advisory to learn more about this specific vulnerability.

Maven pom.xml with hover

Another way to see all the vulnerable packages is by right-clicking on the pom.xml file and selecting Analyze > Show Vulnerable Dependencies. This will open the Vulnerable Dependencies tool window.

Open Vulnerable Dependencies tool window from pom.xml
Vulnerable Dependencies tool window

View vulnerable dependencies in Gradle projects

In a Gradle project, all of your project’s dependencies are declared in the build.gradle. When we open the build.gradle file for a project which contains vulnerable dependencies, we see that several dependencies are highlighted.

We can open the Vulnerable Dependencies tool window from the build.gradle file. For example, let’s have a look at the Spring PetClinic, which uses Gradle. We can right-click the build.gradle file and go to Analyze > Show Vulnerable Dependencies. This will open the Vulnerable Dependencies tool window.

Open Vulnerable Dependencies tool window from build.gradle
Vulnerable Dependencies tool window

View vulnerable dependencies in the Vulnerable Dependencies tool window

We can also open the Vulnerable Dependencies tool window without having to open the files where our dependencies are declared. To open the Vulnerable Dependencies tool window straight from the main menu, go to Code > Analyze Code > Show Vulnerable Dependencies.

Open Vulnerable Dependencies tool window from menu

The Vulnerable Dependencies tool window shows all the vulnerable dependencies for the project. For each vulnerability, we can see an indication of the severity. There are two different views; the flat view shows all the vulnerable dependencies in this project and the dependency hierarchy view shows the dependency tree and the hierarchy between dependencies.

Vulnerable Dependencies tool window flat view
Vulnerable Dependencies tool window dependency hierarchy view

When we click a specific dependency, we can see more information about the vulnerabilities that were found in that dependency. In the Vulnerable Dependencies tool window details pane on the right, we can click the link to Read more under the information about a particular dependency, which will take us to the information about this specific vulnerability in the Checkmarx Advisory.

Vulnerable Dependencies tool window details

To see all the dependencies of the project regardless of whether they’re vulnerable or not, we can click the Show safe button on the top left of the Vulnerable Dependencies tool window.

Show safe button

The dependencies without known vulnerabilities are shown with a green checkmark next to it. We still have the same two views; the flat view and the dependency hierarchy view. We can use the Show safe button to toggle between showing all dependencies or vulnerable dependencies only. We can use the Collapse all or Expand all buttons to collapse or expand the views.

Show safe dependencies

Remediate dependencies using IntelliJ IDEA Ultimate

Finally, we can remediate these vulnerabilities. We can click Copy safe version to clipboard in the Vulnerable Dependencies tool window details pane to copy the safe version and paste it into our build file.

Copy safe version to clipboard

We can also fix it directly in our build file. When we hover over a specific vulnerable dependency, the hover menu includes an action that we can click to upgrade the version (if a new version is available).

Show hover

Fixed version from hover

Alternatively, we can use the intention action shortcut, ⌥ ⏎ on MacOs, or Alt+Enter on Windows/Linux and select the action to upgrade the version (if a new version is available).

Show context actions
Fixed version from context actions

After we update the versions, we can Load Maven Changes, using ⌘⇧I on MacOs or Ctrl+Shift+O on Windows/Linux. We see that the overview in the Vulnerable Checker tool window is updated, and we see that dependencies that we have upgraded and are no longer vulnerable are removed, or shown with a green checkmark if we have enabled Show safe dependencies.

Load Maven Changes


Summary and Shortcuts

As we have seen, the Package Checker plugin bundled with IntelliJ IDEA Ultimate offers several different ways in which we can view vulnerable dependencies in our project inside IntelliJ IDEA Ultimate, get more information about these vulnerabilities, and remediate them. This plugin can help keep your projects safe and secure right inside your IDE!

Further reading and viewing

IntelliJ IDEA Shortcuts Used

Here are the IntelliJ IDEA shortcuts that we used.

NamemacOS ShortcutWindows / Linux Shortcut
Open / Close Project Tool Window⌘1Alt+1
Context Actions⌥⏎Alt+Enter
Load Maven Changes⌘⇧ICtrl+Shift+O
IntelliJ IDEA shortcuts used

IntelliJ IDEA Ultimate: Package Checker

In this screencast we’re going to take a look at the Package Checker plugin, that’s bundled with IntelliJ IDEA Ultimate

We’ll have a look at how to view known vulnerabilities in your Maven or Gradle projects, how to get more information about the known vulnerabilities in a specific dependency and how to remediate these vulnerabilities inside IntelliJ IDEA Ultimate if a new version with a fix is available.

Related Links

Managing dependencies in IntelliJ IDEA

In this tutorial, we’re going to take a look at managing dependencies in IntelliJ IDEA. We’ll look at different ways to add dependencies to your project, and how to add, upgrade and remove dependencies using Package Search.

Add dependencies

There are several ways to add new dependencies to your project.

From the build file using copy-paste

You have probably copied a dependency from Maven Repository (or another website) and pasted into your build file.

For example, we can copy the Gradle format for this dependency and paste it into our build.gradle file.

MvnRepository Gradle format

Copy dependency into build.gradle

Or, if we are using Maven, we can copy the Maven xml format into our pom.xml.

MvnRepository Maven format

Copy dependency into pom.xml

Did you know that if you copy-paste a Maven XML dependency into your build.gradle file, IntelliJ IDEA automatically turns it into the correct format for Gradle?

From the build file using code completion

We can also add dependencies to our build file using code completion. For example, let’s add a new dependency to our pom.xml.

Code completion in pom.xml

Code completion in pom.xml

Code completion in pom.xml

Code completion in pom.xml

We see that IntelliJ IDEA autocompletes the dependency xml, and we can search for the dependency we want, in this example AssertJ. If needed, the version number will also be added. Since this is a test dependency, we need to add the test scope, still using code completion.

Code completion in pom.xml

Code completion in pom.xml

Code completion works in Gradle too, as you can see below.

Code completion in build.gradle

Code completion in build.gradle

From the build file using code generation

We can also use code generation from the build file to add dependencies. In the build file, the pom.xml in a Maven project, invoke Package Search using ⌘N (on macOS) or Alt+Insert (on Windows & Linux) and in the menu that opens, select Add dependency. This will open the Dependencies tool window.

Invoke Package Search in pom.xml

Note that if we are using Gradle, we can do the same in our build.gradle file.

Invoke Package Search in build.gradle

From the Dependencies tool window

Alternatively, we can open the Dependencies tool window directly. There is no shortcut to open the Dependencies tool window, so we can either use Recent Files, ⌘E (on Mac) or Ctrl+E (on Windows/Linux), and type in “dependencies” to open the Dependencies tool window.

Recent Files Dependencies

Alternatively, we can open it by clicking Quick Launch in the bottom-left and selecting Dependencies.

Quick Launch Dependencies

In the Dependencies tool window, we can search for a dependency. For example, let’s search for AssertJ.

Search AssertJ

Note that we can select a scope for this dependency. The names of the scopes are based on the build tool with which you are working. Since this is a test dependency, and we are using Gradle in this project, we can set the scope to testImplementation.

Set Scope

We can also select the version we want to use.

Set Version

We can do the same in Maven.

Search AssertJ

Note that the names of scopes for Maven are different from Gradle. In Maven, we can set the scope for a test dependency to test.

Scope Maven

When we click Add, we see that the dependency is added to the build file.

Add AssertJ

If the version number is shown in red, that means IntelliJ IDEA hasn’t downloaded this library before. Click Load Maven Changes so IntelliJ IDEA will update its dependencies based on the changes to the pom.xml or build.gradle file.

Go back to the Dependencies tool window and clear the search box by clicking the x on the right-hand side. You’ll see the project’s dependencies are updated with your new dependency.

Next, let’s look for jackson-databind. We see that there are several versions available. Since we have selected Only stable, only stable versions are shown in the list.

Jackson-Databind Versions

If we uncheck this option, we see that the list of versions also includes the release candidates.

Jackson-Databind Only Stable Versions

For production code, we probably want to use stable versions, so let’s select the Only stable checkbox again. With this option enabled, IntelliJ IDEA will exclude any dependencies that have no stable versions, and hide them from the list. Now we can select the latest stable version and add this to our project. Let’s also Load Maven Changes again.

Finally, let’s also add a new dependency to the Kotlin module. Let’s switch to the Kotlin module and open the pom.xml for this module. Open the Dependencies Tool Window and search for Ktor.

Search Ktor

Notice that some dependencies are marked as Multiplatform.

Show Kotlin Multiplatform

If we want to see only Kotlin multiplatform dependencies, we can select the Kotlin multiplatform checkbox, as shown below.

Select Kotlin Multiplatform

When we click Add to the right of the Ktor dependency, we see that Ktor is added to the list of dependencies and to the pom.xml for the Kotlin module.

Add Ktor

Upgrade dependencies

We will also need to keep our dependencies up to date. To show you how IntelliJ IDEA can help, we are using this extremely outdated project as an example. In the pom.xml below, we see that several dependencies are marked with squiggly lines underneath them.

Outdated Dependencies in pom.xml

IntelliJ IDEA will show the suggestion to upgrade when we hover over the dependency, and we can click the suggestion to upgrade the dependencies.

Hover over outdated dependency

Alternatively, we can use Context Actions ⌥⏎ (on macOS) or Alt+Enter (on Windows & Linux) to upgrade these dependencies.

Context Actions

We can also upgrade our dependencies using the Dependencies tool window. The Dependencies tool window will tell us if there’s a newer version of a dependency, as we can see here.

Dependencies with newer versions

We can choose the version to upgrade to by clicking on the version number in the list. Note that we don’t have to use the latest version.

Select version

We can also automatically upgrade a dependency to the latest version by clicking Upgrade for that particular dependency.

Upgrade individual dependency

Or, we can even upgrade all our dependencies at once, by clicking the Upgrade all link.

Upgrade all dependencies

Remove dependencies

Finally, we can remove dependencies we no longer need. In the Dependencies tool window, let’s remove jackson-databind from the Java module. We select the dependency we want to remove (jackson-databind) and in the Dependency details pane on the right, click the More button (three dots) and select Remove.

Remove Dependency

We will see that the dependency is removed from the pom.xml and the dependency list. To remove a dependency from the whole project, select All Modules on the left.

Summary and Shortcuts

Now we know the different ways in which we can view our project’s dependencies in IntelliJ IDEA, and the different focus for each view.

IntelliJ IDEA Shortcuts Used

Here are the IntelliJ IDEA shortcuts that we used.

NamemacOS ShortcutWindows / Linux Shortcut
Open / Close Project Tool Window⌘1Alt+1
Recent Files⌘EControl+E
Invoke Package Search⌘NAlt+Insert
Context Actions⌥⏎Alt+Enter
Shortcuts used

Related Links

IntelliJ IDEA: Managing Dependencies

In this screencast, we’re going to take a look at managing dependencies in IntelliJ IDEA. We’ll look at different ways to add dependencies to your project, and how to add, update and remove dependencies using Package Search.

Related Links

Pair programming in Java with an 8 year old

Recently I asked my 8 year old if he would be interested in doing some Java programming with me, and he was. This was such a fun experience, I wanted to share it with you.

Why Java?

In the past, we have done part of a Scratch course by Felienne. So I know there are other programming languages out there that are made specifically for kids. However, I wanted to show him something that is a bit more like what his dad (also a software developer) and I do all day.

It was an explicit decision on my part not to bore him with Java syntax just yet, but instead to focus on what the program should do and getting a bit of understanding of how programming works. While most of the code was written by me, the behavior of our little application was based on our collective ideas.

Hello world!

We used IntelliJ IDEA Community Edition 2022.3, and I opened a new project using Java and Maven, thinking we would get started with a simple Hello World program (as you do).

New Project wizard in IntelliJ IDEA with Java and Maven selected, as well as JDK temurin-17
New Project wizard

It turned out that IntelliJ IDEA already includes the Hello World example when opening a new project, which was a nice surprise.

Hello world! program in Java
Hello world!

First, I asked him to run the program by clicking the run button (green triangle) in the gutter. He asked me what it means to “run” the program, so I explained this means having the computer execute the program, doing the thing the code tells it to do.

When we ran the program, we saw that the text “Hello world!” was printed in the command line. I tried explaining that “public static void main” is the main method, telling the computer where to start, but to be honest I’m not sure he understood that just yet.

Asking for user input

Next, I asked him whether he would like to print something else and what we would need to change in order to do so. He knew we had to change the green text (the String) to something else. He changed the word “world” in this String to his name and ran the program again.

My next suggestion was to ask the user for their name so the computer would be able to greet other people too. Here I briefly explained we would need some way to capture the user’s input. To do so, I added a Scanner and the variable “name”. After I made these changes, he ran the program and tested that it worked when he input his name.

A simple Java program using Scanner to output a question, capture the input and print the result
Asking for user’s name

Next, we discussed what else to ask the user. He wanted to ask for their favorite color and provide the “computer’s” favorite color as a response to their answer. We added another question and captured another variable to return to the user.

A simple Java program using Scanner to output a question, capture the input and print the result
Asking for name and favorite color

Selecting a language

Of course, while the kids speak some English, it is not their native language. So we decided to translate the output to Dutch to make it a little easier for him to understand. Next, he suggested we should give the user the option of using the program either in Dutch or in English. We started with a simple if/else statement and duplicated code blocks of asking the same questions in either Dutch or English, depending on the input.

A Java programming using an if/else statement to select a language
Selecting a language

He was quick to point out that we should think about what to do if the user provided a language or input we didn’t know. Good question! So we proceeded to add logic for that as well.

A Java program checking that input is a valid option before proceding.
Validate input

Next, we ran the program several times to check that it worked for each valid option, as well as (multiple) invalid options.

Next steps

Finally, we discussed what potential next steps we could take with this program. We had several ideas:

  • He wanted to know if it would be possible to remove the duplication somehow; for example, by getting the Dutch or English text from somewhere so we wouldn’t have to duplicate all the code. In our current program, the code for the Dutch version and English version is duplicated, meaning that for every additional question we want to ask the user, we have to make sure to duplicate that.
  • In one of my tests, I showed him that the computer would just capture and return whatever the user’s input was. The example I used was to answer “Hello, what is your name?” with a full sentence: “Hi, my name is Marit” to which the computer would reply “Hello Hi, my name is Marit, what is your favorite color?” which is a bit weird. So that is something to think about.


The most important thing is that we had fun. He was motivated to add new things to the program and to test that they worked. My choice to not focus on the details of Java syntax, but on the general program instead seems to have worked because he had fun and wanted to continue. He is already asking me when we can do this again, and has ideas of what we could do next.

The program was written based on his ideas and he did write some of it himself, mainly the Strings and some of the “System.out.println()” lines, after I showed him how to use IntelliJ IDEA live templates to do so; if you type “sout” and press Enter (or Return on Mac), IntelliJ IDEA will expand that to “System.out.println()” which he thought was very helpful.

What I noticed was that he was able to think about what the program should do, and had a rough understanding of how the code worked. Once we were done, he was able to explain our little program to his dad, and pointing to the relevant points in the code while explaining what they did. So I have the impression he has some understanding of how it works.

Overall, we had fun together coding and it was awesome to see how his mind worked when thinking about what the program should do and how, and how to test it. We are very much looking forward to continuing our little experiment.

Our code can be found on GitHub.