Analyze and automate dependency upgrades

Looking to simplify dependency management? Adding some tooling to your processes can speed things up and point you to areas that might call for a little more attention.

Automatic version upgrades

Android Studio highlights out-of-date library versions in the editor, along with quick-fixes to upgrade them. But this requires regularly checking all of your build files.

There are a number of third party tools that can automate the process, upgrading your build files and optionally creating a pull-request for the change. They locate and update to the latest available versions of each dependency, but you still need to analyze the results before release to ensure behavioral compatibility. Some popular examples include:

Check available upgrades

Gradle versions plugin gives you more manual upgrade control. Running its dependencyUpdates task (via ./gradlew :dependencyUpdates) generates a report of newer versions of your library dependencies. This can be useful to check library status and manually target which libraries you want to upgrade at a given time.

This can be especially useful if you're using a custom approach to specify your dependency versions, instead of a version catalog.

Report dependency changes

Upgrading the versions of libraries that you directly use can have a much wider impact on your application. Each library you use might require other library dependencies, forming a larger transitive dependency graph.

Dependency guard exposes the changes in that graph between versions of your application or library. This can be an invaluable tool for upgrade analysis, ensuring you consider direct and indirect upgrades.

Detect unused and misused dependencies

Keeping your build healthy can improve build speed and ensure your application and library has access to the dependencies it needs. The Dependency analysis Gradle plugin gives you tools to examine your dependencies, checking for proper usage in your build files.

Its reports include:

  • Unused dependencies
  • Used transitive dependencies (you should explicitly declare these so your application can access them if your direct dependencies stop using them)
  • Dependencies declared in the wrong scope
  • Unnecessary use of some plugins
  • GraphViz views of your dependencies

License management

Developers of each library license them for your use. You are required to adhere to the terms of the license or you cannot use that library. Some licenses are very permissive, often requiring only a notice of their use. Some are considered "viral"; if you use those libraries, you must apply the same license to your application or library.

Licenses can change with any release. Whenever you upgrade, you should verify that the dependencies you're using are licensed in a compatible way with your application or library.

Report licenses

The Gradle License Report plugin helps by reporting the licenses of all of your dependencies. Be sure to check this report when you upgrade any dependencies. Verify that the licenses are compatible with your requirements, and ensure you're meeting their required terms.

Generate license notices

Licensing terms often require a notice that users of an application or consumers of a library can access. The Gradle License Plugin generates data or HTML to display such notices in your application.

While this automates much of your notice requirements, it doesn't report resource licenses (for example, licenses needed for fonts, images, or sounds) or licenses of code snippets that you copied from the internet. You need to track and report such usage manually.