How To Approach Dependency Management in Java [Video]
In the video below, we will cover real-life considerations when working with dependencies in Java:
- How to find and trust the right dependencies
- How to consistently keep them updated
- How to protect against vulnerabilities
- How to handle team backlash against adding new dependencies
And more! :)
What’s in the Video
00:00 Intro
We'll start off with a tiny anecdote about me working for a German car manufacturer and trying to add Google's Guava library to our project. Plus, you'll get an overview of the topics covered in this video.
01:01 Old-School Dependency Management
If you already roughly know what dependency you are looking for, it usually makes sense to go to the project's GitHub page and copy its Maven/Gradle dependencies from there. This works independently of the IDE you are using.
However, there is also a faster and more convenient way, by going through IntelliJ IDEA's package manager - provided you are using IntelliJ IDEA.
02:49 BOM Approach
Frameworks like Spring Boot make heavy use of the BOM (Bill Of Material) approach, where your project inherits from a parent project that pre-defines supported libraries including their respective versions. We'll have a quick look at how this mechanism works in Maven.
05:40 How To Keep Your Dependencies Up-To-Date
Consistently updating your dependencies in projects can be a pain. How do you even know that there are new dependency versions available? I'll show a Maven command (a similar one is available for Gradle) that prints out available dependency updates. As you might have guessed, there is again a simpler way when using IntelliJ IDEA: the package manager. It shows you possible updates and executes the update by just clicking a button.
08:43 How To Find Out About Dependency Vulnerabilities
In parallel with updates, you also need to make sure your dependencies have no security vulnerabilities. Again, you could run command line tools for that, or you'll simply rely on IntelliJ IDEA's built-in vulnerability checker, which even works for transitive dependencies! It will highlight known security issues in yellow and then it's up to you to decide what to do.
09:52 How to “Trust” Dependencies
The big question is: how do you know you can "trust" a specific dependency? Surely, you can have a look at the project metrics (commits, number of committers, release cadence, etc.), but at a certain point, there is always some experience needed to make a final decision. We'll have a look at a connection pool example from my own past, where I decided to replace (the back-then-standards apache-dbcp and c3p0) with the new HikariCP.
13:05 How To Find Dependencies if You Don’t Know Yet What You Actually Need (and Native Dependencies)
Last but not least, let's cover finding dependencies where you don't already quite know what you are looking for, the example being an image metadata extractor library that works for my Google Photos clone series. We'll do a couple of Google searches, and wade through GitHub, Stack Overflow, and other links to find out which library we'll eventually need to use.
16:27 Outro
We'll finish off by mentioning related topics we didn't have a chance to cover in this video. If you have any questions or input on dependency management, please let me know!
Enjoy!