Dependency management
- Migrate discussions on dependency management to here.
Dependencies, and transitive dependencies (when you depend on X, and X depends on Y), are a key concern in software. Your build should help you manage these, and when your are explicit, let you know if dependencies are outdated.
An example is the dependency on spotbugs-annotations.
This is a dependency you may pull in to support suppressing warnings with
@SuppressFBWarnings.
Tackling SpotBugs warnings are important to security and quality, and there
are situations where you want to suppress a specific warning but generally
should be avoided.
Note that in this example @java.lang.SuppressWarnings is natively supported
by the JDK with drawback.
However, pulling in the dependency for provides a transitive dependency to javax.annotations, and
that in turn provides annotations such as @javax.annotation.Nonnull.
Best is to eschew transitive dependencies required for compilation, and have
them separately in your Gradle and Maven builds, and be explicit.
Avoiding accidental dependencies may result in more work when managing dependencies but with benefits:
- Dependabot shows changes in explicit dependencies. This is critical when updatable security issues are in your control. See https://github.com/binkley/modern-java-practices/wiki/Maintain-your-build#automated-prs-for-dependency-updates for more on Dependabot.
- Full direct dependency listing in your project helps others (including your teammates and management) understand impacts when updating. This includes being explicit about versions of plugins bundled by your build tool (Gradle or Maven).
This project leans towards explict transitive versioning when:
- We find a plugin relies on a key tool that updages faster than the plugin (usually managed as a "tool version").
- A library or plugin has a critical dependency with known security concerns, and we can address a CVE with a transitive dependency update.
However, we do not manage versions in other cases. This is up to you to decide how best to manage for your project and circumstances.
#s Tips
TODO: Placeholder section
TODO: Placeholder section
See the code repo for working examples.
This work is dedicated/deeded to the public following laws in jurisdictions
for such purpose.
The principal authors are: