Classes on How you can Escape the Maven Dependency Hell


Throughout their Devoxx UK speak Ixchel Ruiz, Developer Advocate at JFrog, and Andres Almiray, Principal Product Supervisor at Oracle, introduced a number of “maven puzzlers” and their potential options to flee the Apache Maven “dependencies hell”. Their presentation touched on direct, transitive, guardian POMs and even about importing Invoice Of Materials

Me, as a developer, I’m feeling good when my instruments are doing what they’re presupposed to be doing

Acknowledged Ruiz within the opening of their presentation. The “magic occurs” when the “software is sweet” and also you perceive it. Because the title states the presentation was about constructing instruments, extra particularly Apache Maven.


In line with JFrog Artifactory statistics and developer productiveness from JRebel or JetBrains, Maven remains to be the primary Java construct software utilized by builders with 68% respectively 73% market share.

Almiray: Dependencies should not all the identical

Almiray, who was a long-time Gradle supporter, said that even Gradle or sbt depend on Maven in a single or one other. So, even when they do issues in their very own manner, they nonetheless want to grasp the POM format to resolve their dependencies. At factors, they won’t work as anticipated – otherwise you would anticipate them to behave in a classical Maven manner.

They segway into the puzzlers by asking the viewers what can be the very first thing they’d do on a recent cloned maven challenge. Almiray inspired the viewers to interchange the instinctual mvn clear set up with mvn confirm aside from conditions when the challenge will depend on distant tasks. He argues that within the Maven lifecycle, confirm is the step proper earlier than set up and it validates the challenge by constructing it and operating the checks. Whereas the set up simply copies the results of the construct (compilation and packaging) from one a part of the filesystem (the place the construct occurs) to a different half, the place there may be the repository.


Subsequent, the presentation turned a dialog via an interactive questionnaire which the viewers may’ve responded to in real-time. As they launched the puzzlers, they said that challenges will happen when you should have a dependency with the identical coordinates (groupId, artificatId) however totally different variations.

The “warm-up questions” recognized the variations of Maven used and the way in which of putting in it but additionally if the viewers used Maven daemon. In response to the alternatives of the viewers, the 2 urged utilizing SDKMAN (which can enable utilizing totally different variations of Java even in two totally different terminal home windows), the Maven daemon for improved pace and the brand new variations of Maven 3.9.x as a technique to transfer in the direction of the brand new disruptive model 4.x.


Within the puzzlers part of the presentation, the 2 used the Google Guava dependency for example, not as a result of “we hate the Guava, however as a result of it’s generally recognized”. They supplied a number of situations, and puzzlers, adopted by explanations, options for enhancements and options. They grouped the conditions into three sections: single POM file dependencies, dependencies with guardian POM and importing BOM.

Single POM file dependency administration

The primary one checked out a easy challenge that declared two totally different variations of Guava one after the opposite, asking which one will probably be resolved. The response of the viewers was virtually equally divided among the many two variations or having a construct error. Even when it’d seem to be a easy rule to be utilized, on condition that at the moment there are a number of mixtures (of variations and plugins) issues can grow to be extra difficult. As an illustration, this example will probably be a construct error in Maven 4.x however only a warning in 3.x. 

The response of this puzzler is model 28.0 of Guava will probably be resolved, however as a result of it’s not the upper model quantity, all the time Maven will take the final dependency declared. Greater than that, Maven does not comprehend variations in any manner, for it treats them as strings. To make sure that these conditions don’t occur, they suggest utilizing the ban duplicate POM variations rule of the Maven enforcer plugin till 4.x is usually out there, sufficient it is going to be painful the primary time you employ it. Utilizing the rule will generate a construct error, forcing you to decide on the suitable model to your challenge. 

The subsequent puzzler tailored the preliminary one barely, by changing the second dependency with a transitive one which brings a better model. Even when the second is greater and is the final one outlined within the POM file, the direct “dependency all the time wins”. Almiray talked about that Robert Scholte, the previous chair of the Apache Maven challenge – underlined that the software does not perceive semantic versioning however appears to be like at “solely the place within the graph”. He additional said, that having totally different variations of the identical dependency in your graph may sometimes break your software. To keep away from this example you should use the “dependency convergence rule” of the Maven enforcer plugin. It’ll be sure that you all the time have the identical model. And if you want to implement semantic versioning as effectively, you should use the “require higher bounds deps” enforcer rule which can level that there’s a newer model out there in your graph. Combining the 2 guidelines will emphasise when you may have two variations of the identical dependency and can level out there’s a newer one out there. 

The subsequent scenario launched the dependency administration idea which works like a lookup desk. At any time when Maven is constructing the graph, it would search the given desk and if there’s a matching dependency (the identical artifact and group IDs) it would select the model that’s outlined there. The primary instance had simply the dependency administration block and the transitive dependency coming through Google Fact whereas the second instance added a direct dependency to the combination as effectively. Within the first scenario the model outlined within the dependency administration block will “win”, whereas in the second, the direct dependency will win, as “direct dependencies, no matter the place within the graph they’re, all the time win”. 

The next one used two dependencies that each convey the identical transitive dependency on the identical distance from the foundation (“that is essential”). And the identical scenario was barely altered by bringing the dependency administration block into play. The viewers utilized the rule for direct dependencies that claims that the final one outlined within the graph will “win”, however within the case of transitive dependency it’s the different manner round and the primary, closest transitive dependency outlined by the primary library will “win”. So on this case, as they had been on the identical distance the transitive dependency introduced by Guice received (Guava 30.1). When the dependency block got here into play, the model outlined by it “received”. 


Guardian POM file dependencies

Throughout this part of their presentation, the 2 added one other complexity to the dependency administration story: the guardian POM. Every POM can have a guardian one as effectively – which can present a unique context for dependency administration. Parenthood is outlined on the baby degree, the guardian does not know something concerning the kids which can be inheriting it. Every POM has a guardian one – if none is outlined explicitly, the guardian will probably be implicitly the tremendous POM. The explanation why Maven can construct your challenge with simply primary plugins added is that the tremendous POM accommodates all of the wanted ones.

Almiray: it is easy to purpose a few single POM file, however after all what occurs when you may have multiple POM file?

Ruiz: After all…then issues get extra fascinating 

The subsequent examples outlined a direct dependency within the guardian, a transitive one within the baby within the first case. Within the second case, a dependency administration block is added as effectively. Because the guardian POM is imported within the baby POM simply “as it’s”, we are able to fall again to the earlier conditions the place we had a single POM with direct dependencies, transitive dependencies and dependency block. Like all the time the “direct dependency wins”. The only real distinction is that the efficient POM will import additionally the content material of the guardian POM. So, relying on the place of the dependency within the efficient POM it is going to be resolved to 1 or one other.

BOM dependencies

The final of the ideas used within the presentation is the Invoice Of Supplies (BOM) and it shouldn’t be confused with Software program Payments Of Materials (SBOM), the “safety thingy”. There isn’t any official definition or classification of the kinds of BOMs you’ll encounter however in keeping with Almiray you’ll be able to break up them into the next classes:

  • the library BOM – defines tasks which can be associated to a single library. For instance, the JUnit or Jackson BOM defines all the pieces associated to JUnit and nothing extra
  • the stack BOM – Spring or Quarkus BOM convey all dependencies of varied tasks required for the given challenge to operate. Every BOM accommodates a mix of variations that work greatest collectively

Ruiz: even when do not use it, you devour it. When you use Spring Boot or Quarkus you import only one factor which brings extra dependencies…

Whatever the sort you employ, they are going to be consumed in the identical manner: through a dependency administration block (Ruiz claims that is the explanation that they exist). With the intention to devour a BOM, apart from the artifactID and groupID you should add additionally the POM sort, in any other case, Maven will attempt to resolve it as a JAR file. The POM recordsdata are composed of simply metadata.

 The subsequent puzzlers had been variations of those introduced earlier than. They included a guardian and a baby POM and the efficient POM had two transitive dependencies, a dependency administration block within the guardian with one dependency and one other one which imports a BOM for the left one. The correct one added a direct dependency to the combination. The efficient POM file will confer with the dependency block outlined within the guardian and the chosen model of Guava would be the one outlined there. So, within the case of the primary puzzler, it resolved to: 28.0-jre. Within the second case, although the 2 emphasised on the entire length of the presentation that “direct dependencies all the time win”, now they amended their assertion by including that “…except the scenario a BOM file is imported, then all the pieces else is ignored”. So, in that case, the model from the dependency administration block is used: 26.0-jre. 

The subsequent scenario on the left has a dependency administration block outlined by the guardian and within the baby POM. The one in baby, accommodates a BOM import but additionally dependency. On this case, because the model is nearer to the supply of the utilization, it would override the one within the guardian. So the dependency outlined within the dependency block of the kid POM would be the one which will probably be used: 26.0-jre. The scenario outlined on the fitting is in keeping with Ruiz essentially the most advanced one: a dependency block within the guardian, a dependency block importing a BOM within the baby, along with a transitive dependency and a direct dependency too. On this scenario, the direct dependency would be the one that can win: 28.0-jre. 

Within the closing half, the 2 extracted the important thing takeaways of their presentation. She talked about how irritating it’s that the decision of dependencies is so depending on the place of definitions contained in the POM recordsdata. They re-emphasized the significance of utilizing the Maven Enforcer plugin to make sure that there are clear guidelines outlined and adopted. On this manner, a brand new entry in a unique place of the dependency definition file is not going to change the output of the construct course of. 

Almiray: if there may be one factor to take from this presentation is to make use of the Maven enforcer plugin and break your construct as we speak, for all the fitting causes…

Ruiz’s closing comment is a recapitulation of the dependency decision guidelines Maven makes use of: direct dependencies all the time win. Transitive dependencies will choose the primary and closest one to seek out.. Dependency administration decision will probably be used as a list. Within the case of BOM recordsdata, you employ them even when you do not know it. Almiray ends by stating that exclusions can be utilized as a final resort as effectively and that dependency administration blocks are good so long as you construct with Maven. However when you’ve got totally different customers, you will have to rework all various kinds of dependency blocks into express dependencies.  Maven flatten can try this for you. A case that it is best to do that is if the patron is Gradle, which does not help something however direct dependencies. 


Leave a Reply

Your email address will not be published. Required fields are marked *