In my Maven project (an aggregate project with child projects) I issue the following command for the Versions Maven Plugin:
mvn versions:display-dependency-updates
There are a couple of outdated dependencies I'm not sure where are coming from:
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] biz.aQute.bnd:biz.aQute.bnd.annotation ................ 6.4.1 -> 7.0.0
[INFO] org.mockito:mockito-inline ............................ 4.8.1 -> 5.2.0
Unfortunately, try as I might, I can't find which library references these. I've tried the following with the Maven Dependency Plugin, both in the root project and in child projects:
mvn dependency:tree
None of the output mentions biz.aQute.bnd:biz.aQute.bnd.annotation
or org.mockito:mockito-inline
.
The two suspects are:
com.amazonaws:aws-lambda-java-log4j2:1.6.0
ororg.apache.logging.log4j:log4j-bom:2.21.1
(forbiz.aQute.bnd:biz.aQute.bnd.annotation
)com.fasterxml.jackson:jackson-bom:2.15.3
(fororg.mockito:mockito-inline
)
But those are just suspicions based upon the additional dependency management I have in the subprojects where those outdated dependencies show up.
Is there any command I can use to find out which dependency is bringing in the outdated dependencies listed by the Versions Maven Plugin?
Someone on the Maven Users mailing list pointed me to the Maven Help Plugin, which has an
effective-pom
goal with averbose
option. I already knew about an effective POM, but I didn't realize the goal had averbose
optionThat gives me effective dependency management of the individual dependencies, along with the POM each comes from—even with line numbers.
Epilogue: It turns out
biz.aQute.bnd:biz.aQute.bnd.annotation:6.4.1
is coming fromorg.apache.logging:logging-parent:10.1.1
. Andorg.mockito:mockito-inline:4.8.1
was getting in because I forgot that one of my own libraries hadn't been updated to use my newer root POM (which manages the versions of testing libraries).