Checking for new dependency updates
The display-dependency-updates goal will check all the dependencies used in your project and display a list
of those dependencies with newer versions available.
Here are some examples of what this looks like:
svn checkout http://svn.codehaus.org/mojo/trunk/mojo/build-helper-maven-plugin build-helper-maven-plugin
cd build-helper-maven-plugin
mvn versions:display-dependency-updates
Which produces the following output:
[INFO] ------------------------------------------------------------------------
[INFO] Building Build Helper Maven Plugin
[INFO] task-segment: [versions:display-dependency-updates]
[INFO] ------------------------------------------------------------------------
[INFO] [versions:display-dependency-updates]
[INFO]
[INFO] The following dependency updates are available:
[INFO] org.apache.maven:maven-artifact ........................ 2.0 -> 2.0.9
[INFO] org.apache.maven:maven-plugin-api ...................... 2.0 -> 2.0.9
[INFO] org.apache.maven:maven-project ....................... 2.0.2 -> 2.0.9
[INFO] org.codehaus.plexus:plexus-utils ....................... 1.1 -> 1.5.6
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17 seconds
[INFO] Finished at: Fri Aug 15 10:46:03 IST 2008
[INFO] Final Memory: 10M/167M
[INFO] ------------------------------------------------------------------------
Ignoring specific version suffixes
Let's suppose you wanted org.apache.maven.doxia:doxia-core: not to be updated to 2.0.0-M6 or org.apache.maven:maven-core to 4.0.0-alpha-5' or anything with a -M or -alpha in it.
You can either use ruleSet or ignoredVersions.
Note: Upon first sight of the dependencyExcludes option, one might consider to use it to filter out anything with 2.*-M.* or *-alpha.*. Well, that would be wrong. dependencyIncludes and dependencyExcludes work only on original dependency version, that is, dependency versions that are already used by your project. This means that it is likely that you will still see the dreaded 2.0.0-M6-like version in the updates.
Using ignoredVersions (simple regex filters)
Note: Both ignoredVersions and ruleSet filter target versions, and not the original versions of the dependencies.
Say we want to avoid versions with -M or -alpha suffixes:
mvn versions:display-dependency-updates "-Dmaven.version.ignore=.*-M.*,.*-alpha.*"
or in your POM:
<configuration>
<ignoredVersions>
<ignoredVersion>.*-M.*</ignoredVersion>
<ignoredVersion>.*-alpha.*</ignoredVersion>
</ignoredVersions>
</configuration>
or, using just one regular expression:
<configuration>
<ignoredVersions>.*-M.*,.*-alpha.*</ignoredVersions>
</configuration>
Using ruleSet (more control)
<configuration>
<ruleSet>
<ignoreVersions>
<ignoreVersion type="regex">.*-M.*</ignoreVersion>
<ignoreVersion type="regex">.*-alpha.*</ignoreVersion>
</ignoreVersions>
</ruleSet>
</configuration>
See also: Version rules
Output with ignored versions
Instead of:
org.apache.maven:maven-core ........ 3.2.5 -> 4.0.0-alpha-5
You will only see stable updates:
org.apache.maven:maven-core ........ 3.2.5 -> 3.9.2
in your project config. That will result in the following output. Instead of:
[INFO] --- versions:2.15.0:display-dependency-updates (default-cli) @ versions-maven-plugin ---
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] dom4j:dom4j ................................. 1.6.1 -> 20040902.021138
[INFO] org.apache.maven:maven-artifact ............... 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven:maven-compat ................. 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven:maven-core ................... 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven:maven-model .................. 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven:maven-plugin-api ............. 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven:maven-settings ............... 3.2.5 -> 4.0.0-alpha-5
[INFO] org.apache.maven.enforcer:enforcer-api ................ 3.2.1 -> 3.3.0
[INFO] org.apache.maven.plugin-testing:maven-plugin-testing-harness ...
[INFO] 3.3.0 -> 4.0.0-alpha-1
[INFO] org.apache.maven.plugin-tools:maven-plugin-annotations ...
[INFO] 3.8.1 -> 3.8.2
[INFO] org.mockito:mockito-inline ........................... 4.11.0 -> 5.2.0
[INFO] org.slf4j:slf4j-simple ............................... 1.7.36 -> 2.0.7
you will only see:
[INFO] --- versions:2.15.0:display-dependency-updates (default-cli) @ versions-maven-plugin ---
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] dom4j:dom4j ................................. 1.6.1 -> 20040902.021138
[INFO] org.apache.maven:maven-artifact ....................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven:maven-compat ......................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven:maven-core ........................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven:maven-model .......................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven:maven-plugin-api ..................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven:maven-settings ....................... 3.2.5 -> 3.9.2
[INFO] org.apache.maven.enforcer:enforcer-api ................ 3.2.1 -> 3.3.0
[INFO] org.apache.maven.plugin-tools:maven-plugin-annotations ...
[INFO] 3.8.1 -> 3.8.2
[INFO] org.mockito:mockito-inline ........................... 4.11.0 -> 5.2.0
[INFO] org.slf4j:slf4j-simple ............................... 1.7.36 -> 2.0.7
Difference between ignoredVersions or ruleSet and dependencyExcludes
You might wonder when to use ignoredVersions or ruleSet versus dependencyExcludes.
As said before, dependencyExcludes target the version before the upgrade while ignoredVersions or ruleSet filter the possible upgrades.
| Option | Applies to… | Typical use case |
|---|---|---|
| dependencyExcludes | Project dependencies (what is declared in your POM) | Ignore certain dependencies entirely when scanning for updates |
| ignoredVersions | Possible updates | Filter certain suffixes or versions from available updates |
| ruleSet | Possible updates (global or per groupId:artifactId) | Same as above with fine-grained control |
Example
Let's say we want to list dependency updates for our POM, but we are not interested in any updates listing -M or -alpha suffixes.
We also don't want to bother with updates to slf4j-simple or dom4j at all.
Our project has a couple build plugins, which are defined with dependencies to plexus-utils, like so:
<build>
<plugins>
<plugin>
<groupId>com.mygroup</groupId>
<artifact>myartifact</artifact>
<version>1.10.2</version>
<dependencies>
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
This plugin depends on a pretty old version of plexus-utils.
However, we are also not interested in seeing any dependencies of it.
That will translate to the following configuration:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.21.0</version>
<configuration>
<!-- Ignore unstable versions globally -->
<ignoredVersions>
<ignoredVersion>.*-M.*</ignoredVersion>
<ignoredVersion>.*-alpha.*</ignoredVersion>
</ignoredVersions>
<!-- Exclude specific project dependencies -->
<dependencyExcludes>
<dependencyExclude>org.slf4j:slf4j-simple</dependencyExclude>
<dependencyExclude>dom4j:dom4j</dependencyExclude>
</dependencyExcludes>
<!-- Exclude plugin transitive dependencies -->
<pluginDependencyExcludes>
<pluginDependencyExclude>org.codehaus.plexus:plexus-utils</pluginDependencyExclude>
</pluginDependencyExcludes>
</configuration>
</plugin>
The above configuration will:
- Skip looking for dependency updates for any
org.slf4j:slf4j-simpledependency versions that are defined in your POM - Skip looking for dependency updates for any
org.codehaus.plexus:plexus-utilsdependency versions that are dependencies of plugins in your POM - For any retrieved updates, all
-Mand-alphaversions will be left out from the listed updates