July 07, 2020
Written by Rhys Arkins
In this post we’ll show you how to use modern tooling and automation to keep your Maven dependencies updated.
Defining Maven Dependencies
In the example pom.xml you can see multiple locations for dependency definitions:
- Inside the <dependencyManagement> block:
- Inside a top-level <dependencies> block:
- Inside a <build><plugins> block:
In each of the above, you can see one or more external dependencies with a name and version defined. Unless you’re new to software development, you’ll also know that the one thing you can rely on with dependencies is that the version you’re using will soon be out of date!
Next, we’ll evaluate and compare the different ways you can update these dependencies.
Maven Dependency Updating by Hand
The pom.xml file is naturally in XML format, and XML is fairly human-readable, so how about updating it manually? Let’s walk through that option.
We could simply Google the package name, for example:
Alternatively, I may prefer Maven Central and navigate directly to there to look up the package. Here, we can see that a new major version has been released:
The next step would be to perform the manual update:
- Clone the repo (or your fork)
- Create a new branch
- Manual edit and save the pom.xml
- Push the branch to GitHub.com
- Create a Pull Request and describe the change
The above achieves our goal of updating dependencies, but it requires a lot of manual work (even finding the pom.xml to begin with, if it was nested) and the reality is that most developers are going to forget to do this, or prioritize other tasks. Let’s look instead at the ways to automate this time-consuming task.
Maven Dependency Updating Using the CLI
In the example above, we manually checked the pom.xml file for dependencies and then copy/pasted the package names to perform lookups. Now let’s look at how to automate a part of that using a Maven plugin.
The Versions Maven Plugin is a Maven Plugin that can be used to automatically scan pom.xml dependencies and look up new versions. With it, we can eliminate some of the manual work above — namely the looking up of packages and versions and comparing them to what we have.
Running mvn versions:display-dependency-updates against the same project as above reveals that there are a lot of dependencies that could be updated. Here is just a snippet:
The good news is that the detection and lookup of dependencies is now automated for you, but the bad news is that there’s still a lot of work to do, e.g.
- Create a branch
- Commit the changes
- Push the branch to GitHub
- Create a Pull Request describing the changes
The best news is that there is a solution that automates that part too.
Maven Dependency Updating Using Renovate
WhiteSource Renovate is a free tool that keeps dependencies up-to-date using Pull Requests. Essentially, this automates away even the last steps mentioned above, meaning that CI tests can be triggered automatically and passing PRs are just one click away.
How Does It Work?
- WhiteSource Renovate is installed into the repositories of your choosing
- It scans each repository regularly (typically every hour, but scans can be even more frequent important webhooks are received)
- Each scan, the bot will detect all pom.xml files in your repository, extract out all dependencies within, and look up if any of them have newer versions available
- Based on your configuration, WhiteSource Renovate will either raise PRs immediately or during the schedule of your choice. PRs can be raised one per-package or grouped together if preferred
- WhiteSource Renovate will also embed any Changelogs or Release Notes it can find for each release
- Typically, any PR should trigger your regular CI tests
- Once developers are happy with the update, they can merge the PR to update the dependencies
WhiteSource Renovate in Action
If we go back to the Google Cloud Platform repository we originally looked at, we can see that this repository actually uses WhiteSource Renovate already! In fact, it’s quickly risen to be the number one “contributor” to the repository, as measured by GitHub:
Taking a look at the repository’s Pull Requests, we can see a few from WhiteSource Renovate such as this one:
Here you can see:
- The PR title clearly describes which package is being updated and to which version
- There’s one commit, but five files have been updated
- Two different existing versions of the dependency have been found, and both are updated to the newest version
- Release Notes have been conveniently included but minimized
- Custom labels have been added
This is automation at its best. No human needed to manually check package versions, make commits, or create descriptions in a pull request — let alone manually copy/paste release notes.
Installing and Using WhiteSource Renovate
WhiteSource Renovate is a free tool, available as a hosted service (app/bot) for github.com and gitlab.com or self-hosted for GitHub Enterprise, GitLab CE/EE, BitBucket Server, and Azure DevOps.
Here’s the quickest way to get it for each platform:
- github.com: Install it for free via GitHub Marketplace
- gitlab.com: Log in to https://app.renovatebot.com/ using your GitLab identity
- GitHub Enterprise: Run WhiteSource Renovate On-Prem
- GitLab CE/EE: Run WhiteSource Renovate On-Prem
- Bitbucket: Run Renovate OSS CLI
- Azure DevOps: Run Renovate OSS CLI
Rhys Arkins is a Director of Product Management at WhiteSource, where he focuses on developer solutions. He joined WhiteSource in 2019 through the acquisition of his company Renovate Bot – a DevOps tool for automating dependency updates.