How to know which maven dependency is downloading commons collections jar?

Question

I have a big pom.xml file, it's a spring hibernate project. Now I see I have all the versions of commons-collections of jar getting download and some of them are vulnerable, I only want it to download 4.x version of commons-collection jar.

Now it's a big pom file with more than 100 dependencies , and there is no direct dependency for commons-collections. So how can I find which dependency is downloading commons-collections jar or how can I make only 4.x version of commons-collection jar to download instead of all the versions.??

score 2 · Answer 1 · answered Feb 07 '18 at 06:04

2

You can generate dependency tree using the following command

mvn dependency:tree -Dverbose -Dincludes=commons-collections

Ref - https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html for more information.

answered Feb 07 '18 at 06:04

krisnik

1,406
11
18

could it be possible that there would be no dependency but any plugin would be downloading that JAR? – Mohammad Faisal Dec 16 '21 at 17:36

How to know which maven dependency is downloading commons collections jar?

1 Answers1