Table of contents
Related resources
Automatically Update Dependencies in Maven: A Step-By-Step Guide
If your Maven project feels like a ticking time bomb of outdated dependencies, you’re not alone. Developers often put off updates—until a critical CVE or compatibility issue makes them wish they hadn’t.
Keeping your dependencies current doesn’t just reduce risk—it improves performance, adds features, and aligns with best practices in secure software development. In this guide, we’ll walk you through manual and automated ways to update Maven dependencies, including how to use powerful tools like Renovate to automate the process entirely.
Let’s make outdated dependencies a thing of the past.
Defining Maven dependencies
Dependencies in Maven are defined in your pom.xml file using a combination of groupId, artifactId, and version. These entries tell Maven where to fetch the right packages from central repositories and include them during your build.
Managing this manually is fine for small projects, but as your application grows—especially if you rely on a BOM (Bill of Materials) like com.google.cloud:libraries-bom—tracking individual versions becomes time-consuming and risky.
- Inside the <dependencyManagement> block:
- Inside a top-level <dependencies> block:
- Inside a <build><plugins> block:
A BOM helps manage consistent dependency versions across modules. But BOMs need maintenance too—just because you’re not declaring individual libraries doesn’t mean you’re up to date.
How to check for availability of newer versions for the dependencies and plugins in Maven
Maven offers tooling to inspect your dependencies for available updates. The most useful is the versions-maven-plugin, which shows you what can be upgraded.
This shows the current state of your project and highlights newer versions available in the repositories.
These commands don’t make changes—they surface what’s behind and give you a clear baseline. If you maintain long-lived projects or inherit legacy apps, this should be a first diagnostic step.
Maven dependency updating by hand
Once you’ve identified outdated dependencies, you can update them manually in the pom.xml.
While this approach gives you full control, it’s error-prone at scale. You’ll need to cross-reference changelogs, validate for compatibility, and test thoroughly after each bump. It’s manageable in smaller projects but inefficient in a modern CI/CD environment.
Use manual updates for:
- Legacy systems not yet ready for automation
- High-risk changes (e.g., major version upgrades)
- Dependencies that require behavior verification
Maven dependency updating using the CLI
If you want to speed things up, the versions-maven-plugin also includes goals that update dependencies in place via CLI.
These CLI commands allow you to:
- Automatically replace outdated versions
- Target specific scopes (dependencies, plugins, parents)
- Constrain updates to patch/minor versions with flags like
allowMajorUpdates=false
The CLI is powerful but still manual—you must commit the changes, verify correctness, and ensure test coverage. It’s best used when you want faster workflows without going full automation.
Maven dependency updating using Renovate
The next step up is automation. Mend Renovate is a family of products that helps developers keep their dependencies up-to-date. It automates the process of finding new versions, creating pull requests (PRs), and reviewing changes, saving developers valuable time and effort.
The family of products include:
- Mend Renovate CLI is an open source project, community-driven version with basic dependency management features. It’s ideal for individual developers and small teams attempting to keep a few code repositories up-to-date.
- Mend Renovate Community is a free plugin which has a cloud and on prem version. It adds significant quality of life and ease of use features such as job scheduling and API access.
- Mend Renovate Enterprise is an enterprise-grade solution that offers additional features such as advanced security checks, detailed insight into the effort needed to implement specific updates, granular control, and enterprise-level support. There’s a cloud and on premise version.
It’s perfect for larger teams and organizations with complex dependency management needs.
- Mend Renovate is installed into the repositories of your choosing
- It scans each repository regularly (typically every hour, but scans can be even more frequent important webhooks are received)
- Each scan, the bot will detect all pom.xml files in your repository, extract out all dependencies within, and look up if any of them have newer versions available
- Based on your configuration, Mend Renovate will either raise PRs immediately or during the schedule of your choice. PRs can be raised one per-package or grouped together if preferred
- Mend Renovate will also embed any Changelogs or Release Notes it can find for each release
- Typically, any PR should trigger your regular CI tests
- Once developers are happy with the update, they can merge the PR to update the dependencies
If we go back to the Google Cloud Platform repository we originally looked at, we can see that this repository actually uses Mend Renovate already! In fact, it’s quickly risen to be the number one “contributor” to the repository, as measured by GitHub:
Taking a look at the repository’s Pull Requests, we can see a few from Mend Renovate such as this one:
Here you can see:
- The PR title clearly describes which package is being updated and to which version
- There’s one commit, but five files have been updated
- Two different existing versions of the dependency have been found, and both are updated to the newest version
- Release Notes have been conveniently included but minimized
- Custom labels have been added
This is automation at its best. No human needed to manually check package versions, make commits, or create descriptions in a pull request — let alone manually copy/paste release notes.
Installing and using Mend Renovate
First you should choose which product in the Mend Renovate family suits your needs the best.
Here’s the quickest way to get it for each platform:
- github.com: Install it for free via GitHub Marketplace
- gitlab.com: Log in to https://developer.mend.io/ using your GitLab identity
- GitHub Enterprise: Run Mend Renovate On-Prem
- GitLab CE/EE: Run Mend Renovate On-Prem
- Bitbucket: Run Renovate OSS CLI
- Azure DevOps: Run Renovate OSS CLI
