Dependency Management

Standards for managing library versions, dependency constraints, and Bill of Materials (BOM) in Java/Gradle projects.

When to use this skill

• Adding or updating dependencies
• Managing library versions in version catalogs
• Resolving dependency conflicts
• Upgrading Spring Boot or other frameworks
• Setting up BOM-based dependency management
• Understanding version compatibility matrices

Skill Contents

Sections

• When to use this skill (L24-L32)
• Critical Policies (L58-L89)
• Version Catalog Structure (L90-L121)
• Bundle Patterns (L122-L153)
• BOM Strategy (L154-L185)
• References (L186-L196)
• Related Rules (L197-L201)
• Related Skills (L202-L209)

Available Resources

📚 references/ - Detailed documentation

• bom strategy
• bundle patterns
• compatibility matrices
• resolution strategies
• security updates
• version centralization

Critical Policies

1. Version Centralization (Mandatory)

All dependency versions MUST be centralized in

gradle/libs.versions.toml

// ❌ NEVER: Hardcode versions in build.gradle
dependencies {
    implementation "org.springframework.boot:spring-boot-starter-web:3.5.9"
}

// ✅ ALWAYS: Use version catalog
dependencies {
    implementation libs.spring.boot.starter.web
}

See references/version-centralization.md for anti-patterns and approved locations.

2. Never Downgrade Pre-existing Versions

Never replace a library version with an older version that pre-existed in the repository.

See references/version-centralization.md for the full policy.

Version Catalog Structure

The version catalog (

gradle/libs.versions.toml

[versions]
spring-boot = "3.5.9"
grpc = "1.78.0"
spock = "2.4-groovy-4.0"
junit-jupiter = "5.14.2"

[libraries]
spring-boot-starter-web = { module = "org.springframework.boot:spring-boot-starter-web", version.ref = "spring-boot" }
spring-boot-bom = { module = "org.springframework.boot:spring-boot-dependencies", version.ref = "spring-boot" }

[bundles]
testing-spock = ["spock-core", "spock-spring"]
spring-boot-service = ["spring-boot-starter-web", "spring-boot-starter-actuator"]

[plugins]
spring-boot = { id = "org.springframework.boot", version.ref = "spring-boot" }

Key Principles

Bundle Patterns

Bundles group related dependencies for cleaner build files:

// ❌ Verbose: Multiple declarations
dependencies {
    testImplementation libs.spock.core
    testImplementation libs.spock.spring
    testImplementation libs.testcontainers.spock
    testImplementation libs.testcontainers.postgresql
}

// ✅ Clean: Use bundles
dependencies {
    testImplementation libs.bundles.testing.spock
    testImplementation libs.bundles.testing.integration
}

Common Bundles

testing-spock

testing-integration

spring-boot-service

grpc-core

codegen

See references/bundle-patterns.md for all bundles and usage.

BOM Strategy

BOMs manage transitive dependency versions automatically:

// In root build.gradle
dependencyManagement {
    imports {
        mavenBom(libs.spring.boot.bom)
        mavenBom(libs.grpc.bom)
    }
}

Benefits

• Automatic resolution: BOM handles all transitives
• No conflicts: Related libraries stay compatible
• Easy updates: Update BOM version once

Platform vs Enforce

// ✅ RECOMMENDED: Use platform() - allows version overrides if needed
implementation platform(libs.spring.boot.bom)

// ⚠️ AVOID: enforcedPlatform() - strictly forces versions
implementation enforcedPlatform(libs.spring.boot.bom)

See references/bom-strategy.md for complete patterns.

References

Related Rules

• java-versions-and-dependencies - Original comprehensive rule
• java-gradle-best-practices - Gradle configuration patterns

Related Skills