Find source of outdated dependencies indicated by Versions Maven Plugin

63 views Asked by At

In my Maven project (an aggregate project with child projects) I issue the following command for the Versions Maven Plugin:

mvn versions:display-dependency-updates

There are a couple of outdated dependencies I'm not sure where are coming from:

[INFO] The following dependencies in Dependency Management have newer versions:
[INFO]   biz.aQute.bnd:biz.aQute.bnd.annotation ................ 6.4.1 -> 7.0.0
[INFO]   org.mockito:mockito-inline ............................ 4.8.1 -> 5.2.0

Unfortunately, try as I might, I can't find which library references these. I've tried the following with the Maven Dependency Plugin, both in the root project and in child projects:

mvn dependency:tree

None of the output mentions biz.aQute.bnd:biz.aQute.bnd.annotation or org.mockito:mockito-inline.

The two suspects are:

  • com.amazonaws:aws-lambda-java-log4j2:1.6.0 or org.apache.logging.log4j:log4j-bom:2.21.1 (for biz.aQute.bnd:biz.aQute.bnd.annotation)
  • com.fasterxml.jackson:jackson-bom:2.15.3 (for org.mockito:mockito-inline)

But those are just suspicions based upon the additional dependency management I have in the subprojects where those outdated dependencies show up.

Is there any command I can use to find out which dependency is bringing in the outdated dependencies listed by the Versions Maven Plugin?

1

There are 1 answers

0
Garret Wilson On BEST ANSWER

Someone on the Maven Users mailing list pointed me to the Maven Help Plugin, which has an effective-pom goal with a verbose option. I already knew about an effective POM, but I didn't realize the goal had a verbose option

mvn help:effective-pom -Dverbose=true

That gives me effective dependency management of the individual dependencies, along with the POM each comes from—even with line numbers.

Epilogue: It turns out biz.aQute.bnd:biz.aQute.bnd.annotation:6.4.1 is coming from org.apache.logging:logging-parent:10.1.1. And org.mockito:mockito-inline:4.8.1 was getting in because I forgot that one of my own libraries hadn't been updated to use my newer root POM (which manages the versions of testing libraries).