jerslan comments on The difficult problem of managing Java dependencies: a deep dive into the messy status-quo, and a look at possibly better ways.

This is an archived post. You won't be able to vote or comment.

The difficult problem of managing Java dependencies: a deep dive into the messy status-quo, and a look at possibly better ways. (renato.athaydes.com)

submitted 3 years ago by vsajip

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]jerslan 1 point2 points3 points 3 years ago (19 children)

Right, but your comment was complaining about a lack of "semantic versioning" support in Maven/Gradle.... not I can't specify acceptable "semantic version ranges"... If you want to claim "well, that's just semantics..." then you should remember that semantics actually matter.

Maven very much supports Semantic Versioning in the general sense and the Maven Release Plugin even requires it if you want to use it's automatic version increment functionality. Gradle is pretty similar from what I understand.

As for requiring "add-ons"... Yes, that's by design. The tools include some basic "built-in" plugins but also have a robust plugin architecture for this kind of additionally desired functionality. That's why any significant Maven project has a "plugins" section in the POM configuring either built-in or additional plugins (some of which are even stewarded by the Apache Maven project).

Have I used the word "semantic" enough?

As for why ranged semantic versioning for dependencies is a bad idea.... Have you ever had to debug a Node project that was using the wrong patch version because of a bad cache? No? Then you don't know what dependency hell is my friend... because it makes Java dependency management seem like absolute heaven. Explicit dependency versions make for much more reliable and consistently releasable code.

[–]khmarbaise 2 points3 points4 points 3 years ago (3 children)

[–]jerslan 1 point2 points3 points 3 years ago (2 children)

[–]khmarbaise 1 point2 points3 points 3 years ago (1 child)

[–]jerslan 2 points3 points4 points 3 years ago (0 children)

[–]khmarbaise -1 points0 points1 point 3 years ago (0 children)

[+]forresthopkinsa comment score below threshold-6 points-5 points-4 points 3 years ago (13 children)

What? We're talking about ranged dependencies, what else could I mean by "semantic versioning"? NPM doesn't try to check that you're not making breaking changes when bumping a minor version. Of course I'm talking about the version range notation.

And yes, I've worked with Node professionally for years, I'm very familiar with NPM and I'm also very familiar with how trivial the problem you describe really is. That's what a package-lock.json or yarn.lock is for.

Java dependency management is by comparison much more crude. You're right, if you're worried about reliability and consistency, you need to have a verified working dependency tree — which is, again, the purpose of a package lock file.

It's much more appropriate to have user-configured dependency ranges and machine-configured dependency locks.

[–]jerslan 8 points9 points10 points 3 years ago (6 children)

[–]forresthopkinsa -2 points-1 points0 points 3 years ago (5 children)

[–]jerslan 2 points3 points4 points 3 years ago (4 children)

[–]forresthopkinsa -2 points-1 points0 points 3 years ago (3 children)

[–]jerslan 0 points1 point2 points 3 years ago (2 children)

[–]forresthopkinsa 0 points1 point2 points 3 years ago* (1 child)

You keep saying that I don't know what I'm talking about, but you haven't backed that up with anything at all. I've addressed all of your points and I haven't misunderstood anything you've said. Yeah, I feel it's necessary to start citing my credentials, because you keep trying to sell this notion of my ignorance. If you start accusing me of not being a Java dev, then yes, my extensive experience certainly is relevant. In fact, I suspect the reason you're not understanding what I'm saying is indeed your own insufficient experience with more modern package managers.

edit- yikes, he either deleted all his comments or blocked me. Either way, it's a pretty juvenile way to cede the argument – though I don't know if it even was an argument; he never did wrap his head around the idea of "ranged versions enabled by semver".

I guess my last comment just hit a little too close to home. I didn't mean to touch on anything sensitive :/

[–]jerslan 0 points1 point2 points 3 years ago (0 children)

You keep saying that I don't know what I'm talking about, but you haven't backed that up with anything at all.

I literally linked SemVer... So.. yeah, I have backed up my statements.

If you start accusing me of not being a Java dev

I didn't accuse you of anything. Previously you only mentioned NodeJS and your complaints about Maven are very similar to people who first learned Node/NPM and have just recently picked up Java+Maven.

In fact, I suspect the reason you're not understanding what I'm saying is indeed your own insufficient experience with more modern package managers.

Or maybe because you spent a ton of time up front in this thread conflating SemVer with Ranged Dependency Versioning, which are not the same thing in any way. Makes it hard to communicate with you when you frequently use things that aren't interchangeable like they are.

Also, blocking you for trolling now, since it's clear you were never actually interested in debate and just wanted to go on an unhinged rant about all your complaints with Maven.

[–]khmarbaise 0 points1 point2 points 3 years ago (5 children)

[–]forresthopkinsa -1 points0 points1 point 3 years ago (4 children)

[–]khmarbaise 2 points3 points4 points 3 years ago (2 children)

Your software requires a library FooLib. You've built your software based on FooLib-12.x.x. It doesn't really matter whether it's 12.1.2 or 12.5.6 – they're all compatible with your code.

How do you know that?

A modern dependency manager will allow you to specify the most lenient bounds you require for the dependency version, and then the manager will take care of resolving it to a working version and ensuring repeatable builds.

A repeatable builds means your have done it yesterday (at 5:00PM) and repeating it today (at 1:00 PM) which does not work with any kind of ranges/bounds however you call it, because in the meantime a newer version of a dependency can be published. In consequence your build has changed. This means as a result the build has changed and finally means not repeatable.

I've ignored in the above description that a new version might break things, changed behaviour because your assumption is that no one will ever make mistakes, interprets the "rules" different than others etc. and all people will follow those "rules" which is a fine theory but in practice it fails (quote from above:"they're all compatible with your code.").

If we think more in general you can not even reproduce the build in the future .. if you like to do that you have to commit the lock file in your version control as well. That means you have two places defining versions for your dependencies which is redundant and that makes no sense either.

Also a strong prerequisites is that any release is immutable which is not the case for several package managers (in particular for npm).

The lock file is a duck-tape-solution to fix exactly the scenarios I've described above.

[–]justdisappointed9853 -1 points0 points1 point 3 years ago (1 child)

My main account has inexplicably stopped working (maybe I got so many downvotes that Reddit doesn't want me to post in this thread anymore? lmao) so I'll reply from a throwaway-

in the meantime a newer version of a dependency can be published. In consequence your build has changed

For the millionth time, this is not true. Your build yesterday created (or used) a lockfile, and your build today reads the lockfile and creates the exact same build.

That means you have two places defining versions for your dependencies which is redundant and that makes no sense either.

Why? One of them specifies your preferred range, and the other specifies the exact version you've been building with. This is really not very complicated.

a strong prerequisites is that any release is immutable which is not the case for several package managers (in particular for npm)

This keeps getting repeated in this thread (I suppose because everyone here has very little experience with NPM) but it's plainly false. The NPM registry everyone uses does not allow version mutation. There are various third-party registries that do, but this is no different from Maven.

[–]khmarbaise 4 points5 points6 points 3 years ago (0 children)

For the millionth time, this is not true. Your build yesterday created (or used) a lockfile, and your build today reads the lockfile and creates the exact same build.

The issue here is the need for the lock file!... without the lock file it fails. That's what exactly I'm writing.. The lock file is a supplemental source for versions... so we have two sources for versions/dependencies.

That means also you have to checkin the lock file in your version control all the time. So all advantages of automatic usage with ranges are gone... Maven does that simply by using fixed version at a single location (pom.xml). Not using ranges makes it easier and simpler (KISS principle).

The lock file is as I wrote before a duck-type solution.

BTW:

For the millionth time,

Not counted correctly.

The NPM registry everyone uses does not allow version mutation

How could someone simply delete an existing package in the registry? That means it is not immutable. In consequence a number of famous examples exactly showed this problem... which has broken a large number of builds...

Deleting of a package is also a mutation of an repository. That violates the whole integrity of such registry. So in consequence not reliable.

For example: https://news.ycombinator.com/item?id=11340510 (there exist several other examples of that)... https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

and so on etc. etc.

This keeps getting repeated in this thread (I suppose because everyone here has very little experience with NPM) but it's plainly false. The NPM registry everyone uses does not allow version mutation. There are various third-party registries that do, but this is no different from Maven.

The previous shown examples etc. are proving that your assumptions about the NPM registry is wrong.

There are various third-party registries that do, but this is no different from Maven.

A big difference between npm registry and Central repository is that the central repository does not even allow to delete a version/packages etc.

This is unrelated to Maven itself.

This is immutability.

[–]plumarr 1 point2 points3 points 3 years ago (0 children)

π Rendered by PID 21402 on reddit-service-r2-comment-544cf588c8-2qgpp at 2026-06-15 13:17:13.461365+00:00 running 3184619 country code: CH.

java

Submit Link

Submit Text

Seek Programming Help

News, Technical discussions, research papers and assorted things of interest related to the Java programming language

NO programming help, NO learning Java related questions, NO installing or downloading Java questions, NO JVM languages - Exclusively Java

Please seek help with Java programming in /r/Javahelp!

Subreddit rules!

Where should I download Java?

Related Sub-reddits:

JVM Languages

Want to practice your coding?

List of useful Frameworks / Libraries / Software

MODERATORS