How to check for dependency updates in Gradle?
Every time a new library is added to a project, the question arises as to whether it can be dispensed with. And no wonder, because we developers already have to maintain a zoo of libraries in our projects. Each new one adds the routine work of finding, updating and migrating libraries to new versions. And if no one performs the migration to new versions for us, then the search for updates can be automated. That’s what I’m going to talk about in this article.
Why update dependencies at all?
We live in the 21st century, the century of digitalization of everything and everyone. Every day, another group of hackers breaks into the information systems of another company. This is especially true now, when the geopolitical situation has changed.
Many attempts to hack an information system fail due to the fact that the creator of the information system itself did not bother to update the code base and the dependencies used in time. In any software, any libraries and frameworks, there are vulnerabilities used for hacking. Recall at least a loud find in Apache Log4j
which forced literally all developers to urgently make corrections to their own systems.
To solve the problem of using obsolete libraries, services like Dependabot or Renovate. However, for Java developers, there are ways to get information about available updates much easier and faster – gradle-versions-plugin
.
Gradle Versions Plugin
Information about the project and instructions can be found on the official page project on GitHub.
Installation
In order to start using the plugin in your gradle project, just add the plugin to your build.gradle
project file. To section plugins
include the following declaration:
id 'com.github.ben-manes.versions' version '0.47.0'
Where 0.47.0
– this is the most current version of the plugin at the time of writing.
And it’s all.
Usage
With the addition of the plugin, a new task has appeared in your gradle project – dependencyUpdates
, which generates a report on the status of your project’s dependencies. To use the new task, just run the following command:
gradle dependencyUpdates
A full report on the dependencies used in the project will be displayed in the terminal.
Example
Now let’s look at a live example of how the plugin works. To do this, I created a generated new Java project using the command gradle init
. After answering all the questions of the generator, I received a project with a small number of dependencies – just the right thing to demonstrate the plugin.
After adding the plugin to the project, my build.gradle
the file looks like this:
plugins {
id 'application'
id 'com.github.ben-manes.versions' version '0.47.0'
}
repositories {
mavenCentral()
}
dependencies {
implementation 'com.google.guava:guava:31.1-jre'
}
testing {
suites {
test {
useJUnitJupiter('5.8.0')
}
}
}
application {
mainClass="ru.anverbogatov.App"
}
Let’s do it gradle dependencyUpdates
to get a report on the availability of dependency updates for our project:
$ gradle dependecyUpdates
> Task :app:dependencyUpdates
------------------------------------------------------------
:app Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.47.0
- com.google.guava:guava:31.1-jre
The following dependencies have later milestone versions:
- org.junit.jupiter:junit-jupiter [5.8.0 -> 5.9.1]
https://junit.org/junit5/
Gradle release-candidate updates:
- Gradle: [7.6: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
The report immediately shows that the version of JUnit used in the project has been updated:
The following dependencies have later milestone versions:
org.junit.jupiter:junit-jupiter [5.8.0 -> 5.9.1]
Fix the JUnit version in the project to the latest by updating the version number in build.gradle
file:
...
testing {
suites {
test {
useJUnitJupiter('5.9.1')
}
}
}
...
And run the command gradle dependecyUpdates
again, to make sure we’re now using the latest versions of the dependencies:
$ gradle dependencyUpdates
> Task :app:dependencyUpdates
------------------------------------------------------------
:app Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest milestone version:
- com.github.ben-manes.versions:com.github.ben-manes.versions.gradle.plugin:0.47.0
- com.google.guava:guava:31.1-jre
- org.junit.jupiter:junit-jupiter:5.9.1
Gradle release-candidate updates:
- Gradle: [7.6: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
Now, our project uses the latest versions of the libraries.
Conclusion
gradle-versions-plugin
works great on both small projects and large multi-project gradle projects with lots of libraries. It is especially convenient to get information about the availability of new versions in Spring Boot projects, where the number of different dependencies is huge.
The console command and terminal output also make this plugin an excellent candidate for inclusion in your CI pipelines.