使用Outdated Maven插件确保项目安全与依赖更新

使用Outdated Maven插件确保安全与更新的项目

这不是一个周日的清晨。喝着咖啡浏览动态时，我发现了Markus Eisele刚刚分享的这个宝藏。

最初我看到帖子标题是"Outdated Maven Plugin"，心想这是什么意思？进入Git仓库后，我发现这是Giovanni van der Schelde的一个新项目。

使用Outdated Maven插件保持更新与安全！

Outdated Maven插件是一个帮助开发者识别Maven项目中过时依赖的工具。通过扫描项目依赖，该插件根据用户定义的不活跃年限阈值来判断这些依赖是否不再积极维护。这确保您的项目始终使用最新、最安全的依赖版本。

这确实解决了一个普遍问题。许多环境中仍在使用的旧的二进制文件。此外，如果用户可以指定检查阈值来跟上二进制文件的更新节奏，将是一个巨大的帮助。快速在线搜索会显示如何通过Maven依赖插件查找未使用的库。很容易失去对正在使用的依赖的跟踪。这也是一个很好的辅助工具。

然而，这个插件正在检查更新，并向开发者和用户提供数据，表明可能有一些重要内容需要关注，特别是当库很旧或可能存在安全风险时。

开始使用

我将以下插件拖入项目的pom.xml中。其实这不是我的项目，我只是克隆了GitHub上的Apache Struts示例仓库并进行了尝试。抱歉Apache Struts，但当我想到十多年前编写Web系统时，它是我首先想到的之一。

<plugin>
    <groupId>com.giovds</groupId>
    <artifactId>outdated-maven-plugin</artifactId>
    <version>1.0.0</version>
    <configuration>
        <!-- 允许的最大不活跃年限 -->
        <years>1</years>
        <!-- 如果发现过时依赖是否使构建失败 -->
        <shouldFailBuild>false</shouldFailBuild>
    </configuration>
    <executions>
        <execution>
            <id>outdated-check</id>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

注意在上面的插件中有两个参数：

• <years>：任何超过1年的库
• <shouldFailBuild>：我们不希望构建失败，因此设置为false

然后，通过运行以下命令在项目上执行此操作：

mvn com.giovds:outdated-maven-plugin:check

输出结果

这是一个有趣的输出。根据上述标准，模块rest-angular有过时的依赖（1年）。

[INFO] -------------------< org.apache.struts:rest-angular >-------------------
[INFO] Building REST Plugin based application with AngularJS 1.1.0      [33/47]
[INFO]   from rest-angular/pom.xml
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- outdated:1.0.0:check (default-cli) @ rest-angular ---
[WARNING] Dependency 'org.hamcrest:hamcrest-all:1.3' has not received an update since version '1.3' was last uploaded '2012-07-09'.
[WARNING] Dependency 'org.hibernate.validator:hibernate-validator:6.2.3.Final' has not received an update since version '6.2.3.Final' was last uploaded '2022-03-03'.
[WARNING] Dependency 'org.glassfish:javax.el:3.0.1-b12' has not received an update since version '3.0.1-b12' was last uploaded '2020-10-12'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-core:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.core:jackson-databind:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.14.1' has not received an update since version '2.14.1' was last uploaded '2022-11-22'.
[WARNING] Dependency 'junit:junit:4.13.2' has not received an update since version '4.13.2' was last uploaded '2021-02-13'.
[WARNING] Dependency 'com.jayway.jsonpath:json-path:2.7.0' has not received an update since version '2.7.0' was last uploaded '2022-01-30'.
[WARNING] Dependency 'javax.servlet:javax.servlet-api:4.0.1' has not received an update since version '4.0.1' was last uploaded '2018-04-20'.
[WARNING] Dependency 'javax.servlet:jsp-api:2.0' has not received an update since version '2.0' was last uploaded '2005-11-08'.

输出清晰明了：依赖名称、版本以及最后上传到Maven仓库的时间。

遇到的问题

我遇到了一个问题：我运行的是Java 17，但插件是用最新的Java LTS版本21编译的。

Execution default-cli of goal com.giovds:outdated-maven-plugin:1.0.0:check failed: 
Unable to load the mojo 'check' in the plugin 'com.giovds:outdated-maven-plugin:1.0.
0' due to an API incompatibility: org.codehaus.plexus.component.repository.exception.
ComponentLookupException: com/giovds/OutdatedMavenPluginMojo has been compiled by a 
more recent version of the Java Runtime (class file version 65.0), this version of
the Java Runtime only recognizes class file versions up to 61.0

我认为会有很多项目使用17或更早的版本。New Relic的Java生态系统状况报告也指出了一些正在使用的版本。我认为许多旧的Java环境正是这类工具能够极大帮助用户的环境。

2024年7月18日更新

项目作者已添加对LTS-1版本（即Java 17）的支持。
更多精彩内容 请关注我的个人公众号 公众号（办公AI智能小助手）
公众号二维码