Posted on by Lachlan O'Donnell

Version Dependency Updates Automated in Maven

Version housekeeping of libraries and 3rd party code is a requirement in maintaining a strong resistance to security vulnerabilities in your product. We use maven as our build tool standard, and the Maven Versions Plugin from MojoHaus to update versions on an automated basis.

For the maven build, there are three sorts of dependencies that we automate:

  1. Maven plugins – the building blocks that our build uses.
  2. Explicit dependencies – the libraries that our application uses
  3. Property based dependencies – these usually relate to a set of individual dependencies that use the same version, or for build reasons the version is a reference to a maven property value.

Note that the versions plugin is limited with updating plugin dependencies. It can only produce a report of available version updates – the plugin version must be manually updated in the pom.xml.

Version update process

Versioning Maven project plugins

Run mvn versions:display-plugin-updates and a report will be generated showing version updates available and which module pom.xml needs to be updated.

Versioning Maven project dependencies

Run the commands below to update both explicit and property based <version>w.x.y.z</version> elements in all modules pom.xml. It is suggested that this is run on code that is checked into a version control system so you can see the changes easily.

mvn versions:update-parent -DgenerateBackupPoms=false 
mvn versions:update-properties -DgenerateBackupPoms=false 
mvn versions:use-latest-releases -DgenerateBackupPoms=false

Semi Automated versions script to combine both steps

Note this this script does an interactive report on plugins that may have updates available.

#!/bin/bash
mvn versions:display-plugin-updates | more 
mvn versions:update-parent -DgenerateBackupPoms=false           
mvn versions:update-properties -DgenerateBackupPoms=false 
mvn versions:use-latest-releases -DgenerateBackupPoms=false

Configuring the versions plugin to stop false updates

Sadly due to the age of some of the java libraries, there are “poor” versioning choices in some of the older java libraries. You can configure the versions plugin to not consider certain versions as part of its update or not decision making. This can be useful to exclude alpha, beta, release candidate (rc) style naming, etc.

See a full implementation as part of our oss-maven-standards pom.xml on GitHub which excludes some common naming issues that we have found in our development. Feel free to use our open standards for your own projects too!

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>versions-maven-plugin</artifactId>
    <configuration>
        <ruleSet>
            <ignoreVersion>
                <type>regex</type>
                <!-- Ignore alpha and beta -->
                <version>.+-(alpha|beta).+</version>
            </ignoreVersion>
            …