In my Maven project (an aggregate project with child projects) I issue the following command for the Versions Maven Plugin:
mvn versions:display-dependency-updates
There are a couple of outdated dependencies I'm not sure where are coming from:
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO] biz.aQute.bnd:biz.aQute.bnd.annotation ................ 6.4.1 -> 7.0.0
[INFO] org.mockito:mockito-inline ............................ 4.8.1 -> 5.2.0
Unfortunately, try as I might, I can't find which library references these. I've tried the following with the Maven Dependency Plugin, both in the root project and in child projects:
mvn dependency:tree
None of the output mentions biz.aQute.bnd:biz.aQute.bnd.annotation or org.mockito:mockito-inline.
The two suspects are:
com.amazonaws:aws-lambda-java-log4j2:1.6.0 or org.apache.logging.log4j:log4j-bom:2.21.1 (for biz.aQute.bnd:biz.aQute.bnd.annotation)com.fasterxml.jackson:jackson-bom:2.15.3 (for org.mockito:mockito-inline)But those are just suspicions based upon the additional dependency management I have in the subprojects where those outdated dependencies show up.
Is there any command I can use to find out which dependency is bringing in the outdated dependencies listed by the Versions Maven Plugin?
Someone on the Maven Users mailing list pointed me to the Maven Help Plugin, which has an effective-pom goal with a verbose option. I already knew about an effective POM, but I didn't realize the goal had a verbose option
mvn help:effective-pom -Dverbose=true
That gives me effective dependency management of the individual dependencies, along with the POM each comes from—even with line numbers.
Epilogue: It turns out biz.aQute.bnd:biz.aQute.bnd.annotation:6.4.1 is coming from org.apache.logging:logging-parent:10.1.1. And org.mockito:mockito-inline:4.8.1 was getting in because I forgot that one of my own libraries 😊 hadn't been updated to use my newer root POM (which manages the versions of testing libraries).