Prevent dependency version overrides in Spring Boot

Question

Given a user has manually overriden Spring managed dependency versions, is there a plugin or other tool that can tell them "Don't do this".

<parent>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-parent</artifactId>
  <version>2.7.5</version>
  <relativePath/> <!-- lookup parent from repository -->
</parent>

<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <version>2.7.3</version> <!-- this line shouldn't exist -->
  </dependency>
  <dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.10.0</version> <!-- this line shouldn't exist -->
  </dependency>
</dependencies>

I'm asking because as teams are updating their app for currency, they are manually updating 20+ dependency versions, when it's possible they only need to update the Spring Boot version to receive updated to other dependencies.

Answer 1

spring-boot-dependency-checker will do this for you

Answer 2

That's what code reviews are for, first and foremost. There might be an option in Sonarcube that can help, haven't heard of a Maven plugin.

Of course it's quite possible that your project won't even compile in this state, depending on the changes between the versions. The Jackson databind version btw SHOULD be there, unless for some reason the entire dependency should be there because it's implicitly brought in by another dependency (I don't have all transient dependencies of Spring Boot starters in my head, shocking I know).