Dependency Updates Available (SL002)
Checks for available updates to dependencies and plugins in a Maven project.
Description
Uses the Maven Versions Plugin to detect newer dependency, plugin, parent, and property versions. Reports the latest overall version, the latest minor version within the current major, and the latest patch version within the current minor (when applicable). Also uses the veteran apps metadata services endpoint to detect the production versions of client dependencies. Does not show updates to dependencies where no version is specified due to the dependency being managed by the parent. An ERROR is reported when the client module JAR is not found. INFO level violations are reported when newer dependencies and plugins are detected.
Rationale
Keeping dependencies up-to-date improves security and stability. Major updates may be breaking and should be evaluated.
Findings
-
ERROR
-
Client module JAR not found; project needs to be built locally
-
-
INFO
-
Newer dependency/plugin/parent/property version detected
-
Major version update detected (consult PO or consider latest minor)
-
Latest minor within current major and latest patch within current minor suggested
-
Noncompliant
<!-- Example showing outdated dependency version in a POM -->
<project>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>2.7.5</version> <!-- outdated -->
</dependency>
</dependencies>
</project>Compliant
<!-- Example showing up-to-date dependency version in a POM -->
<project>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<version>${spring-boot.version}</version> <!-- managed and up-to-date -->
</dependency>
</dependencies>
</project>