{"id":22125297,"url":"https://github.com/basepom/dependency-versions-check-maven-plugin","last_synced_at":"2026-02-05T05:01:15.062Z","repository":{"id":57738776,"uuid":"218195059","full_name":"basepom/dependency-versions-check-maven-plugin","owner":"basepom","description":"Maven plugin to find dependency version conflicts","archived":false,"fork":false,"pushed_at":"2024-09-15T01:21:25.000Z","size":340,"stargazers_count":6,"open_issues_count":4,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-09T04:37:54.326Z","etag":null,"topics":["basepom","java","maven","maven-plugin"],"latest_commit_sha":null,"homepage":"https://basepom.github.io/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/basepom.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-10-29T03:17:09.000Z","updated_at":"2025-05-27T08:30:18.000Z","dependencies_parsed_at":"2023-12-28T06:33:33.598Z","dependency_job_id":"dbf3a09e-e288-4e93-8675-5154eee6f007","html_url":"https://github.com/basepom/dependency-versions-check-maven-plugin","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/basepom/dependency-versions-check-maven-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/basepom%2Fdependency-versions-check-maven-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/basepom%2Fdependency-versions-check-maven-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/basepom%2Fdependency-versions-check-maven-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/basepom%2Fdependency-versions-check-maven-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/basepom","download_url":"https://codeload.github.com/basepom/dependency-versions-check-maven-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/basepom%2Fdependency-versions-check-maven-plugin/sbom","scorecard":{"id":226642,"data":{"date":"2025-08-11","repo":{"name":"github.com/basepom/dependency-versions-check-maven-plugin","commit":"70db5c496a0ef55a614cc124a6105842b8affec1"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/master-cd.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/master-cd.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/master-cd.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/master-cd.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/master-cd.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/master-cd.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/master-cd.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/master-cd.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/style.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/style.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/style.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/basepom/dependency-versions-check-maven-plugin/style.yml/main?enable=pin","Info:   0 out of   9 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/master-cd.yml:1","Warn: no topLevel permission defined: .github/workflows/style.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-78wr-2p64-hpwj","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T03:56:17.267Z","repository_id":57738776,"created_at":"2025-08-17T03:56:17.267Z","updated_at":"2025-08-17T03:56:17.267Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29113188,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T03:44:17.043Z","status":"ssl_error","status_checked_at":"2026-02-05T03:44:12.077Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["basepom","java","maven","maven-plugin"],"created_at":"2024-12-01T16:18:59.861Z","updated_at":"2026-02-05T05:01:15.037Z","avatar_url":"https://github.com/basepom.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dependency versions check maven plugin\n\n## Introduction\n\nThis plugin verifies that the resolved versions of project\ndependencies are mutually compatible to each other.\n\nThis README only serves as a quick overview of the plugin. Please see the [Documentation Site](https://basepom.github.io/dependency-versions-check-maven-plugin/) for a full overview of the plugin and its function.\n\n## Cheat Sheet\n\n* the `list` goal lists all dependencies and their final resolved versions\n* the `check` goal verifies that all resolved dependency versions match the project requirements\n\nThe `list` goal is usually run interactively while the `check` goal should be run as part of a build.\n\n### Configuration\n\n```xml\n\u003cconfiguration\u003e\n    \u003cskip\u003e...\u003c/skip\u003e\n    \u003cincludePomProjects\u003e...\u003c/includePomProjects\u003e\n    \u003cquiet\u003e...\u003c/quiet\u003e\n    \u003cscope\u003e...\u003c/scope\u003e\n    \u003cdeepScan\u003e...\u003c/deepScan\u003e\n    \u003cdirectOnly\u003e...\u003c/directOnly\u003e\n    \u003cmanagedOnly\u003e...\u003c/managedOnly\u003e\n    \u003cfastResolution\u003e...\u003c/fastResolution\u003e\n    \u003coptionalDependenciesMustExist\u003e...\u003c/optionalDependenciesMustExist\u003e\n    \u003cunresolvedSystemArtifactsFailBuild\u003e...\u003c/unresolvedSystemArtifactsFailBuild\u003e\n    \u003cdefaultStrategy\u003e...\u003c/defaultStrategy\u003e\n    \u003cconflictsOnly\u003e...\u003c/conflictsOnly\u003e\n    \u003cconflictsFailBuild\u003e...\u003c/conflictsFailBuild\u003e\n    \u003cdirectConflictsFailBuild\u003e...\u003c/directConflictsFailBuild\u003e\n    \u003cexceptions\u003e\n        \u003cexception\u003e\n            \u003cdependency\u003e...\u003c/dependency\u003e\n            \u003cexpected\u003e...\u003c/expected\u003e\n            \u003cresolved\u003e...\u003c/resolved\u003e\n        \u003c/exception\u003e\n        \u003cexception\u003e\n            ...\n        \u003c/exception\u003e\n    \u003c/exceptions\u003e\n    \u003cresolvers\u003e\n        \u003cresolver\u003e\n            \u003cstrategy\u003e...\u003c/strategy\u003e\n            \u003cincludes\u003e\n                \u003cinclude\u003e...\u003c/include\u003e\n                ...\n            \u003c/includes\u003e\n        \u003c/resolver\u003e\n        \u003cresolver\u003e\n            ...\n        \u003c/resolver\u003e\n    \u003c/resolvers\u003e\n\u003c/configuration\u003e\n```\n\n\nconfiguration key  | function | type | command line | default\n-----------------  | -------- | ---- | ------------ | -------\n`skip` [*L*, *C*] | skip plugin execution  | boolean | `dvc.skip` | `false`\n`includePomProjects` [*L*, *C*] | also process pom projects | boolean |  `dvc.include-pom-projects` | `false`\n`quiet` [*L*, *C*]| suppress non-essential output | boolean |  `dvc.quiet` | `false`\n`scope` [*L*, *C*]| select the scope to use for artifact resolution | one of `compile`, `runtime`, `test`, `compile+runtime` |  `dvc.scope` | `test`\n`deepScan` [*L*, *C*] | resolve all artifacts, not just direct | boolean |  `dvc.deep-scan` | `false`\n`directOnly` [*L*, *C*] | check only direct dependencies | boolean | `dvc.direct-only` | `false`\n`managedOnly` [*L*, *C*] | check only managed dependencies | boolean | `dvc.managed-only` | `false`\n`fastResolution` [*L*, *C*] | use parallel dependency resolution | boolean | `dvc.fast-resolution` | `true`\n`optionalDependenciesMustExist` [*L*, *C* ] | even optional dependencies must be resolvable | boolean | `dvc.dvc.optional-dependencies-must-exist` | `false`\n`unresolvedSystemArtifactsFailBuild` [*L*, *C*] | `system` scope artifacts that can not be resolved will fail the build | boolean |  `dvc.unresolved-system-artifacts-fail-build` | `false`\n`defaultStrategy` [*L*, *C*] | default artifact matching strategy | string | `dvc.default-strategy` | `default`\n`conflictsOnly` [*L*, *C*] | only report dependencies in conflict | boolean |  `dvc.conflicts-only` | `true` for `check` goal, `false` for `list` goal\n`conflictsFailBuild` / `failBuildInCaseOfConflict` [C] | any version conflict will fail the build | boolean |  `dvc.conflicts-fail-build` | `false`\n`directConflictsFailBuild` [*C*] | any conflict in a direct dependency will fail the build | boolean |  `dvc.direct-conflicts-fail-build` | `false`\n`exceptions` [*L*, *C*] | set of exceptions influencing the version resolution | set of exceptions | - | -\n`resolvers` [*L*, *C*] | resolver strategies for specific dependencies | set of resolvers | - | -\n\n(*L* = `list` goal, *C* = `check` goal)\n\n\n### Exceptions\n\nAn exception defines an acceptable conflict which would otherwise fail the build:\n\n```xml\n\u003cexceptions\u003e\n    \u003cexception\u003e\n        \u003cdependency\u003eorg.sonatype.plexus:plexus-cipher\u003c/dependency\u003e\n        \u003cexpected\u003e1.7\u003c/expected\u003e\n        \u003cresolved\u003e1.4\u003c/resolved\u003e\n    \u003c/exception\u003e\n\u003c/exceptions\u003e\n```\n\nIn this case, the `1.4` version of the dependency would be acceptable even if the build tree would require the `1.7` version.\n\nThe `groupId` and `artifactId` components of the dependency name can use wildcards. An empty element (group or artifact) is treated as a wildcard.\n\n\n### Resolvers\n\nThe standard strategy for determining which version of an artifact is used matches the strategy that maven itself employs. This should be sufficient for most uses.\n\nIt is possible to configure specific strategies for subsets of artifacts (with a `resolver` configuration or even change the default strategy (using the `defaultStrategy` configuration).\n\nA resolver elements contains of a versioning strategy name and one or more include patterns to select the strategy for artifacts:\n\n```xml\n\u003cconfiguration\u003e\n    \u003cresolvers\u003e\n        \u003cresolver\u003e\n            \u003cid\u003eapache-dependencies\u003c/id\u003e\n            \u003cstrategyName\u003eapr\u003c/strategyName\u003e\n            \u003cincludes\u003e\n                \u003cinclude\u003ecommons-configuration:commons-configuration\u003c/include\u003e\n                \u003cinclude\u003eorg.apache.*:\u003c/include\u003e\n            \u003c/includes\u003e\n        \u003c/resolver\u003e\n    \u003c/resolvers\u003e\n\u003c/configuration\u003e\n```\n\nThe following strategies are included:\n\n#### `default` - the default strategy\n\nThis strategy matches the actual maven version resolution.\n\nIt assumes that all smaller versions are compatible when replaced with larger numbers and compares version elements from left to right. E.g. 3.2.1 \u003e 3.2 and 2.1.1 \u003e 1.0.\n\n#### `apr` - Apache APR versioning (aka semantic versioning)\n\nThree digit versioning, assumes that for two versions to be compatible, the first digit must be identical, the middle digit indicates backwards compatibility (i.e. 1.2.x can replace 1.1.x but 1.4.x can not replace 1.5.x) and the third digit signifies the patch level (only bug fixes, full API compatibility).\n\n#### `two-digits-backward-compatible` - Relaxed APR versioning\n\nSimilar to APR, but assumes that there is no \"major\" version digit (e.g. it is part of the artifact Id). All versions are backwards compatible. First digit must be the same or higher to be compatible (i.e. 2.0 can replace 1.2).\n\n#### `single-digit` - Single version number\n\nThe version consists of a single number. Larger versions can replace smaller versions. The version number may contain additional letters or prefixes (i.e. r08 can replace r07).\n\n\n## Legal\n\nThis is a friendly fork and rewrite of the [original dependency-version-check plugin](https://github.com/ning/maven-dependency-versions-check-plugin).\n\nLicensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)\n\n\u0026copy; 2010 Ning, Inc.\n\n\u0026copy; 2011 Henning Schmiedehausen\n\n\u0026copy; 2020-2021 the basepom project\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbasepom%2Fdependency-versions-check-maven-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbasepom%2Fdependency-versions-check-maven-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbasepom%2Fdependency-versions-check-maven-plugin/lists"}