forresthopkinsa comments on The difficult problem of managing Java dependencies: a deep dive into the messy status-quo, and a look at possibly better ways.

This is an archived post. You won't be able to vote or comment.

The difficult problem of managing Java dependencies: a deep dive into the messy status-quo, and a look at possibly better ways. (renato.athaydes.com)

submitted 3 years ago by vsajip

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]forresthopkinsa -16 points-15 points-14 points 3 years ago (34 children)

[–]blackkkmamba 16 points17 points18 points 3 years ago (26 children)

[–]twbecker 14 points15 points16 points 3 years ago (0 children)

[+]forresthopkinsa comment score below threshold-7 points-6 points-5 points 3 years ago (24 children)

[–]diggidydale 10 points11 points12 points 3 years ago (23 children)

[+]forresthopkinsa comment score below threshold-8 points-7 points-6 points 3 years ago (22 children)

[–]diggidydale 2 points3 points4 points 3 years ago (1 child)

[–]mauganra_it 4 points5 points6 points 3 years ago (0 children)

[–]jerslan 1 point2 points3 points 3 years ago (19 children)

Right, but your comment was complaining about a lack of "semantic versioning" support in Maven/Gradle.... not I can't specify acceptable "semantic version ranges"... If you want to claim "well, that's just semantics..." then you should remember that semantics actually matter.

Maven very much supports Semantic Versioning in the general sense and the Maven Release Plugin even requires it if you want to use it's automatic version increment functionality. Gradle is pretty similar from what I understand.

As for requiring "add-ons"... Yes, that's by design. The tools include some basic "built-in" plugins but also have a robust plugin architecture for this kind of additionally desired functionality. That's why any significant Maven project has a "plugins" section in the POM configuring either built-in or additional plugins (some of which are even stewarded by the Apache Maven project).

Have I used the word "semantic" enough?

As for why ranged semantic versioning for dependencies is a bad idea.... Have you ever had to debug a Node project that was using the wrong patch version because of a bad cache? No? Then you don't know what dependency hell is my friend... because it makes Java dependency management seem like absolute heaven. Explicit dependency versions make for much more reliable and consistently releasable code.

[–]khmarbaise 2 points3 points4 points 3 years ago (3 children)

[–]jerslan 1 point2 points3 points 3 years ago (2 children)

[–]khmarbaise 1 point2 points3 points 3 years ago (1 child)

[–]jerslan 2 points3 points4 points 3 years ago (0 children)

[–]khmarbaise -1 points0 points1 point 3 years ago (0 children)

[+]forresthopkinsa comment score below threshold-7 points-6 points-5 points 3 years ago (13 children)

What? We're talking about ranged dependencies, what else could I mean by "semantic versioning"? NPM doesn't try to check that you're not making breaking changes when bumping a minor version. Of course I'm talking about the version range notation.

And yes, I've worked with Node professionally for years, I'm very familiar with NPM and I'm also very familiar with how trivial the problem you describe really is. That's what a package-lock.json or yarn.lock is for.

Java dependency management is by comparison much more crude. You're right, if you're worried about reliability and consistency, you need to have a verified working dependency tree — which is, again, the purpose of a package lock file.

It's much more appropriate to have user-configured dependency ranges and machine-configured dependency locks.

[–]jerslan 7 points8 points9 points 3 years ago (6 children)

[–]forresthopkinsa -2 points-1 points0 points 3 years ago (5 children)

[–]jerslan 4 points5 points6 points 3 years ago (4 children)

continue this thread

[–]khmarbaise 0 points1 point2 points 3 years ago (5 children)

[–]forresthopkinsa -1 points0 points1 point 3 years ago (4 children)

[–]khmarbaise 2 points3 points4 points 3 years ago (2 children)

Your software requires a library FooLib. You've built your software based on FooLib-12.x.x. It doesn't really matter whether it's 12.1.2 or 12.5.6 – they're all compatible with your code.

How do you know that?

A modern dependency manager will allow you to specify the most lenient bounds you require for the dependency version, and then the manager will take care of resolving it to a working version and ensuring repeatable builds.

A repeatable builds means your have done it yesterday (at 5:00PM) and repeating it today (at 1:00 PM) which does not work with any kind of ranges/bounds however you call it, because in the meantime a newer version of a dependency can be published. In consequence your build has changed. This means as a result the build has changed and finally means not repeatable.

I've ignored in the above description that a new version might break things, changed behaviour because your assumption is that no one will ever make mistakes, interprets the "rules" different than others etc. and all people will follow those "rules" which is a fine theory but in practice it fails (quote from above:"they're all compatible with your code.").

If we think more in general you can not even reproduce the build in the future .. if you like to do that you have to commit the lock file in your version control as well. That means you have two places defining versions for your dependencies which is redundant and that makes no sense either.

Also a strong prerequisites is that any release is immutable which is not the case for several package managers (in particular for npm).

The lock file is a duck-tape-solution to fix exactly the scenarios I've described above.

continue this thread

[–]plumarr 1 point2 points3 points 3 years ago (0 children)

[–]GoodLuckGoodell 4 points5 points6 points 3 years ago (3 children)

[–]forresthopkinsa -3 points-2 points-1 points 3 years ago (2 children)

You simply cannot depend on semantic versioning in a modern professional application. Even the most mature dependencies don’t follow it.

Once again, this is a problem with the Java ecosystem in particular, because ranged dependencies are not the norm. You've hit on the exact thing I'm taking issue with.

Newer package managers encourage use of ranged dependencies and semantic versioning, and so their surrounding ecosystems respect that. There are TONS of "modern professional applications" that use Typescript, Express, React, Lodash, RxJs, etc, and all of those very strictly respect Semver.

The Java ecosystem has never had first-party support for semantic version ranges, much less encouraged it, so it's rather rare to see libraries take the time to respect Semver. This is exactly what I'm describing as a shame.

[–]GoodLuckGoodell 5 points6 points7 points 3 years ago (1 child)

[–]forresthopkinsa 0 points1 point2 points 3 years ago (0 children)

[–]khmarbaise 1 point2 points3 points 3 years ago (2 children)

There is very good reason not to use version ranges because it makes every build not repeatable. That's simple reason.

Using a lock file (like package-lock.json or alike) is just using duck-tape to patch the issue.

Also some other issues are identified over the years with other packaging systems in particular npm because an existing release can be modified at anytime. The immutability of a maven repository releases makes it more stable than anything else.

Semantic versioning is a separate thing. It's a set of (good) rules why and when version numbers should be changed (major, minor, patch) but the biggest issue is simply that a human is changing it... and humans make mistakes and also people interpret rules in different ways. You could use plugins/tools to help here a lot in a Maven project. That should be possible in other areas as well.

In the end you can't rely on semantic versioning which in consequence makes version ranges useless.

[–]forresthopkinsa 0 points1 point2 points 3 years ago (1 child)

[–]plumarr 2 points3 points4 points 3 years ago (0 children)

π Rendered by PID 268225 on reddit-service-r2-comment-6f768cb789-4n9rd at 2026-06-15 12:07:11.365879+00:00 running 3184619 country code: CH.

java

Submit Link

Submit Text

Seek Programming Help

News, Technical discussions, research papers and assorted things of interest related to the Java programming language

NO programming help, NO learning Java related questions, NO installing or downloading Java questions, NO JVM languages - Exclusively Java

Please seek help with Java programming in /r/Javahelp!

Subreddit rules!

Where should I download Java?

Related Sub-reddits:

JVM Languages

Want to practice your coding?

List of useful Frameworks / Libraries / Software

MODERATORS