Keeping dependencies up to date with Maven

Maven logo

This article was also published on Medium.

In this blog post, we will look at some standard Maven commands that can help us manage our dependencies and keep them up to date. These are useful to see both direct and transitive dependencies used in the project, look for version updates of dependencies and plugins, and look for unused dependencies that may be removed. All of these can be useful to keep our dependencies up to date.

Pre-requisites

For the examples in this post, we are using the following tools and versions:

  • IntelliJ IDEA Community Edition 2022.2.1 – which you can get here
  • Example project from GitHub (Note: this is an outdated & unmaintained project, which makes it useful to show how to find outdated dependencies)
  • Maven 3.8.6 (optional, see note below) – Install Maven

Note: Maven wrapper

The project we are using in this example includes a Maven wrapper. If the project you are working on does not have a Maven wrapper, you will need to have Maven installed on your local machine. To add Maven wrapper to your project, run the following command in your terminal: mvn wrapper:wrapper and commit the result. Now anyone who uses the project can use the Maven wrapper without having to install Maven locally, and using the same Maven version.

Using Maven to display dependency updates

We can use Maven to check if there are updates available for the dependencies we are using in our project. Run the following command in your terminal: ./mvnw versions:display-dependency-updates.

This will display a list of dependencies for which newer versions have been found.

Command line terminal showing the `mvn versions:display-dependencies-updates` command and it's result.
Display dependency updates

As you can see, there are quite a few dependencies that need to be updated in this project. The reason is that this is an old project that was created from a tutorial years ago and not maintained since. The upside is that it is a great project to use as an example for finding outdated dependencies.

Using Maven to display plugin updates

The same is possible for plugins. Check which plugins can be updated by running the following command in your terminal: ./mvnw versions:display-version-updates.

On the example project, this provides the following result:

Command line showing the command ./mvnw versions:display-plugin-updates and the results
Display plugin updates

This project doesn’t really use a lot of plugins. Your actual projects might, so I wanted to include this command here.

Overview of dependencies: dependency-tree

To see all the dependencies you are using in your project, run the following command in your terminal: ./mvnw dependency:tree. This will return a list of the dependencies declared in this project, and their transitive dependencies:

Command line showing the command `./mvnw dependency:tree`and the resulting dependency tree for a project
Dependency tree

Of course, you can also find the declared dependencies in your pom.xml, but it’s good to have an idea of which transitive dependencies they bring in.

Filtering the dependency tree

The dependency tree for this example project is rather small, like the project itself. Your actual projects at work might be much bigger. If needed, you can filter the dependency tree.

To check where a specific dependency is coming from, use the following command: ./mvnw dependency:tree -Dincludes=<groupId>:<artifactId> containing the groupId and artifactId of the dependency you are looking for.

For example, if we would like to see where this project is getting the slf4j dependency, we would run ./mvnw dependency:tree -Dincludes=org.slf4j:slf4j-api. We see that we get this transitive dependency through Hibernate:

Command line showing the command `./mvnw dependency:tree -Dincludes=org.slf4j:slf4j-api` and it's result.
Filtering the dependency tree

For more information on filtering the dependency tree, see the Maven documentation.

Effective pom

The effective pom is the POM that results from the application of interpolation, inheritance and active profiles. To generate the effective POM, run the following command in your terminal: ./mvnw help:effective-pom.

When running this command on the the example project, the result will be fairly small, because it is a relatively small project. For a large project, the effective pom will be much bigger. If needed, you can write the effective POM into a log file using the following command: ./mvnw help:effective-pom --log-file log.txt.

Use Maven to find unused dependencies

We can also use Maven to find unused dependencies. Run ./mvnw dependency:analyze on the example project gives us the following results:

Command line showing the result of the Maven command dependency:analyse
Analysing dependencies

We see that we have “Used undeclared” dependencies, like org.springframework:spring-beans.
If we search for that dependency, by filtering the dependency tree for that particular dependency using ./mvnw dependency:tree -Dincludes=org.springframework:spring-beans we see that it is a transitive dependency from Spring-webmvc:

Command line showing a command to filter the Maven dependency tree and it's output
Filtering the dependency tree

We also see some “Unused declared” dependencies. If these are dependencies you truly don’t need, it might be a good idea to remove them from your pom.xml. (Note: In this example, JUnit is unused because the tutorial this project is based on didn’t include any tests. If that is the case for your project, consider adding tests instead of removing this dependency!)

Conclusion

Maven offers several ways to help us keep our dependencies up to date. Using the commands above can help us to keep the dependencies we need up to date, and to remove the dependencies we no longer need.