I dunno, back in, like, 2010, I was working on software that had something like 1 zillion dependencies (or, you know, 50. Same thing) and keeping track of consistent versions of all the dependencies was a real pain in the neck. Our organization had a dedicated CM team who set up Artifactory and Ivy and we worked pretty hard at being flexible with which version of commons-lang we actually required.
But note, that was a full time job, just managing the artifact repo and the build system. So now here I am, managing a team and we’re developing a suite of programs. We’re building some custom code, but a lot of what we want to do is accomplished with off-the-shelf libraries, each of which is available from Maven central. Of course, each one pulls in a different version of slf4j or bcprov or whatever. With only a couple of dependencies, it’s okay, there are no collisions. But last night I pulled in jets3t and *poof*, the app would no longer start because jets3t’s version of bouncycastle collides with the version I was already using, so uh oh, we can’t do encryption because the class loader is confused.
Easy enough to solve (downgrade bouncycastle to the version jets3t plays with) but this is my reminder that configuration management is actually a full time job, and there are best practices and frameworks and all that good stuff.