Tracking managed dependency versions in Maven

You should try the maven-enforcer-plugin and configure it to do DependencyConvergence, e.g.

  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-enforcer-plugin</artifactId>
    <version>1.2</version>
    <executions>
      <execution>
        <id>enforce</id>
        <configuration>
          <rules>
            <DependencyConvergence/>
          </rules>
        </configuration>
        <goals>
          <goal>enforce</goal>
        </goals>
      </execution>
    </executions>
  </plugin>

That will show you which top level dependencies have different versions of other dependencies in their dependency trees. You then suppress the dependency variants that you don't want using exclusions.

This happens when 2 or more parent Poms conflicting with a same artifact.

E.g.:

[INFO] |  \- com.rbs.gbm.risk:framework-core:jar:1.6.6:compile
[INFO] |     +- com.rbos.gbm.risk:log4jextensions:jar:2.3:compile (version managed from 2.2)
[INFO] |     +- oro:oro:jar:2.0.8:compile

In my case, framework-core has log4jextentsions 2.2 mentioned. And my super-pom says log4jextentsions 2.3. Somehow the framework-core convinced maven to use log4jextentsions 2.2.

Later when I update framework-core pom to use 2.3:

[INFO] |  \- com.rbs.gbm.risk:framework-core:jar:1.6.6:compile
[INFO] |     +- com.rbos.gbm.risk:log4jextensions:jar:2.3:compile
[INFO] |     +- oro:oro:jar:2.0.8:compile