Maven only requires you to specify versions of dependencies that you use directly. Transitive dependencies aren't visible in the pom.xml and their version is chosen in a seemingly random way.

This Maven plugin enables you to:

• Review exactly which dependencies you have, including transitive ones
• Make sure dependencies are not accidentally changed
• Track changes to dependencies in your SCM
• Enable vulnerability scanning in all your dependencies, including transitive ones
• Enable Dependabot Security Alerts for transitive dependencies

It is a bit like mvn dependency:list but the output is intended to be tracked by you SCM and the check goal makes sure you don't forget to update the file.

mvn se.vandmo:dependency-lock-maven-plugin:create-lock-file will create a file named dependencies-lock.json by default.

You should then commit that file to your source control of choice.

Choose between JSON format and POM XML format. The latter is more verbose but will be detected by Dependabot Security Alerts.

The following snippet in your pom.xml file will make sure that the actual dependencies are the same as in the dependencies-lock.json file.

<build>
  <plugins>
    <plugin>
      <groupId>se.vandmo</groupId>
      <artifactId>dependency-lock-maven-plugin</artifactId>
      <version>use latest version</version>
      <executions>
        <execution>
          <id>check</id>
          <phase>validate</phase>
          <goals>
            <goal>check</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Adding the following in ~/.m2/settings.xml will allow you to write mvn dependency-lock:create-lock-file

<pluginGroups>
  <pluginGroup>se.vandmo</pluginGroup>
</pluginGroups>

The filename of the lock file.

Used to specify which dependencies should have the same version as the main module.

Example:

<useMyVersionFor>
  <dependency>org.myorg:myapplication-controllers-*</dependency>
  <dependency>org.myorg:myapplication-helpers</dependency>
</useMyVersionFor>

Which lock file format to use, defaults to json.

• json, lock file in JSON format, default filename is dependency-lock.json
• pom, lock file in POM XML format, default filename is .dependeny-lock/pom.xml

Checks that actual dependencies matches the lock file. Fails the build if there is no match. Expects a lock file to exist.

If some dependencies are part of the same multi-module project you might want those dependencies to be the same version as the artifact where the dependencies are locked. You can achieve this by configuring the plugin like such:

<configuration>
  <useMyVersionFor>
    <dependency>org.myorg:myapplication-*</dependency>
  </useMyVersionFor>
</configuration>

The filter syntax is [groupId]:[artifactId]:[type]:[version] where each pattern segment is optional and supports full and partial * wildcards. An empty pattern segment is treated as an implicit wildcard. For example, org.myorg.* will match all artifacts whose group id starts with org.myorg., and :::*-SNAPSHOT will match all snapshot artifacts.

Deprecated: Use create-lock-file instead and avoid editing the lock file

Formats the lock file. This can be useful after manually editing the lock file to make sure future changes does not reformat the edits. Note that editing the lock file isn't needed any longer.

Deprecated: Use create-lock-file instead

Creates a lock file from the actual dependencies. Considers some values in the existing lock file.

Creates a lock file from the actual dependencies.

Dependabot Updates currently creates a single PR for each change. If you use pom format and merge all PRs from Dependabot then that combined build might work, but each single PR will fail. There are feature requests for combined PRs for Dependabot which, if implemented, could make a combined PR work. Another approach to automate the creation of PRs would be to have a GitHub workflow that creates a combined PR based on the Dependabot PRs.

Version 1.x will be released in a near future. That release will remove support for the format and lock goals. Specifically it is the possibility to edit the JSON lock file that will be removed. I don't like breaking backwards compatibility but keeping those goals makes it harder to develop some new, much needed, features. I plan on continuing on the 1.x version forever and keep backwards compatibility forever as well. I will create 0.x releases on demand as well if needed.