2

I'd like to be able to see if any of the dependencies of my project - including transitive ones - have updates available.

Take the following pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.me</groupId>
    <artifactId>test</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <dependencies>
        <dependency>
            <groupId>org.apache.poi</groupId>
            <artifactId>poi</artifactId>
            <version>5.1.0</version>
        </dependency>
    </dependencies>
</project>

When I run goal versions:display-dependency-updates I get:

[INFO] Scanning for projects...
[INFO] 
[INFO] ----------------------------< org.me:test >-----------------------------
[INFO] Building test 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- versions-maven-plugin:2.8.1:display-dependency-updates (default-cli) @ test ---
[INFO] No dependencies in Dependencies have newer versions.
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.939 s
[INFO] Finished at: 2022-01-12T17:09:39Z
[INFO] ------------------------------------------------------------------------

But when I run dependency:tree, I can now see:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ test ---
[INFO] org.me:test:jar:0.0.1-SNAPSHOT
[INFO] \- org.apache.poi:poi:jar:5.1.0:compile
[INFO]    +- commons-codec:commons-codec:jar:1.15:compile
[INFO]    +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO]    +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO]    +- commons-io:commons-io:jar:2.11.0:compile
[INFO]    +- com.zaxxer:SparseBitSet:jar:1.2:compile
[INFO]    \- org.apache.logging.log4j:log4j-api:jar:2.14.1:compile

And an outdated version of log4j appears.

Is there a way of doing this that's not manual?

I've also tried dependency-updates-report with the processDependencyManagementTransitive option enabled (which is the default) and the transitive dependencies aren't listed.

Jakg
  • 922
  • 12
  • 39
  • Feels weird. Has it not been omitted from the report for some reason? Have you also tried "mvn dependency:tree -Dverbose"? – Eugenio Jan 12 '22 at 17:53
  • `versions:display-dependency-updates` will only report on direct dependencies but not on transitive dependencies. The outdates dependency is a dependency of poi...You can simple define the newer version directly to your own project which will overwrite the old one... – khmarbaise Jan 12 '22 at 18:33
  • @khmarbaise I understand how I could fix this contrived example, but if it was a large enterprise project with many internal dependencies, those versions would be under my responsibility to manage. – Jakg Jan 12 '22 at 18:50
  • @Eugenio I get the same output with ``-Dverbose``, but I don't think it's a problem with ``dependency:tree`` as it's reporting the situation correctly. – Jakg Jan 12 '22 at 18:52
  • If those dependencies are under your own control you have to go and start by the transitive dependency and start there with upgrading to the most recent versions one by one... there you can use versions plugin to upgrade and continuing one by one... – khmarbaise Jan 12 '22 at 19:07
  • @khmarbaise that was the manual process I wanted to avoid. – Jakg Jan 12 '22 at 19:18
  • I wrote `use versions plugin`... you should check what I have wrote... check this: https://www.mojohaus.org/versions-maven-plugin/use-latest-versions-mojo.html – khmarbaise Jan 13 '22 at 07:08
  • @khmarbaise does that list transitive dependencies? If so do you have an example? – Jakg Jan 13 '22 at 07:48
  • What is the point to know a transitive dependency has updates if the parent dependency has not been released with the latest version? e.g. if org.apache.poi:poi:jar does not uses yet the latest org.apache.logging.log4j:log4j-api:jar (e.g. 2.17.1). You can also have more recent releases like major version upgrade but not compatible with your 1st level deps. – рüффп Jan 19 '22 at 22:43
  • @рüффп see my previous comment - https://stackoverflow.com/questions/70685712/maven-display-dependency-updates-list-transitive-dependency-versions?noredirect=1#comment124962332_70685712 - those dependencies are under my control. – Jakg Jan 20 '22 at 10:25

0 Answers0