Keep your Dependencies up to date
Standing on the shoulders of giants
1123
Dependencies are the foundation of the vast of our projects. Often not visible to us, they provide the majority of the functionality used at runtime compared to the code we write.
So we should maintain them as good as well, just as we do it with the code we write. Otherwise, our code base will rot, as it becomes harder and harder to maintain.
Recommendation
-
Keep the set of dependencies as small as possible
-
Ensure, that your test coverage is high enough to rely on the existing tests to verify wether an update OK or not
-
Check regularly for new versions
-
Automate the process of updating dependencies
-
Use the Maven Versions Plugin for manual dependency updates
-
Use tools like Renovate or GitHub’s Dependabot to automate the process of updating dependencies
Rationale
The vast majority of all software now consists of external libraries that enable us to build the applications we need. The code we write ourselves is important because it represents the desired business logic, but is only a small port of each application.
The much larger part is build by the dependencies we use, which provide us with the necessary infrastructure for our projects.
This can be compared very well to an iceberg. Our code is the small part of the iceberg that sticks out of the water. The much larger part, the dependencies, is mostly invisible.
Therefore, dependencies should be kept always up to date as far as possible so that any security hole ca be closed quickly an incompatibilities can be identified at an early stage.
Example
In a professional development organisation, the preferred way to perform dependency updates should be used established tools such as Renovate or Dependabot. As these tools are constantly evolving, I recommend that you consult their documentation. Any possible example will be out of date quite quickly.
Updating dependencies manually with the Maven Versions Plugin
Using the Maven Versions Plugin it is quite simple to update a given Maven project manually quite quickly.
The given example project uses Apache Commons Lang 3 in an outdated version.
As the project uses Maven properties to manage the used versions, the update will be performed with the help of the update-properties goal.
Please refer to the documentation of the plugin to see which goals are available to suit your needs.
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.amce.systems.depupdate.a</groupId> (2)
<artifactId>depupdate-a</artifactId>
<version>1.0.0</version>
<properties>
<depa.commons-lang3.version>3.15.0</depa.commons-lang3.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${depa.commons-lang3.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>The first step should always be to see which dependencies are candidates for updates.
$ mvn versions:display-dependency-updates
[INFO] Scanning for projects...
[INFO]
[INFO] --------------< com.amce.systems.depupdate.a:depupdate-a >--------------
[INFO] Building depupdate-a 1.0.0
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- versions:2.20.1:display-dependency-updates (default-cli) @ depupdate-a ---
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] org.apache.commons:commons-lang3 .................... 3.15.0 -> 3.20.0
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 6.213 s
[INFO] Finished at: 2025-12-31T09:05:36Z
[INFO] ------------------------------------------------------------------------The second step will be the update of the outdated dependencies.
$ mvn versions:update-properties
[INFO] Scanning for projects...
[INFO]
[INFO] --------------< com.amce.systems.depupdate.a:depupdate-a >--------------
[INFO] Building depupdate-a 1.0.0
[INFO] from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- versions:2.20.1:update-properties (default-cli) @ depupdate-a ---
[INFO] Updated ${depa.commons-lang3.version} from 3.15.0 to 3.20.0
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.029 s
[INFO] Finished at: 2025-12-31T09:05:38Z
[INFO] ------------------------------------------------------------------------After the Maven run, the updated project will use the latest versions.
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.amce.systems.depupdate.a</groupId> (2)
<artifactId>depupdate-a</artifactId>
<version>1.0.0</version>
<properties>
<depa.commons-lang3.version>3.20.0</depa.commons-lang3.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${depa.commons-lang3.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>