Speed up ModuleHasDependency and RepositoryHasDependency by removing DependencyInsight#176
Merged
timtebeek merged 3 commits intoMay 21, 2026
Conversation
…DependencyInsight Both recipes ran a fresh DependencyInsight visitor against every source file during scanning, which performs exhaustive Gradle + Maven dependency analysis just to answer a binary yes/no question about whether the module contains a given GAV. Replace the visitor with a direct check against MavenResolutionResult.findDependencies for Maven modules, and against GradleProject's configurations + ResolvedDependency.findDependency for Gradle modules. This mirrors the pattern Sam applied to the single-build-system versions of ModuleHasDependency in openrewrite/rewrite (commit 919c9f5 / PR #6664). These recipes are used as preconditions in many declarative migration recipes. Avoiding the DependencyInsight allocation + traversal per source file substantially reduces scanner time on repositories with many Java files.
Jenson3210
approved these changes
Apr 22, 2026
github-project-automation
Bot
moved this from In Progress
to Ready to Review
in OpenRewrite
…match Avoids re-running the per-tree dependency lookup for every source file in a module after the JavaProject has already been added to the accumulator.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Both
org.openrewrite.java.dependencies.search.ModuleHasDependencyandRepositoryHasDependencyran a freshDependencyInsightvisitor against every source file during scanning, just to answer a binary yes/no question about whether the module contains a given GAV.Replace the visitor with a direct check against:
MavenResolutionResult.findDependencies(groupId, artifactId, scope)for Maven modules, andGradleProject's configurations +ResolvedDependency.findDependencywalk for Gradle modules.This mirrors the pattern Sam applied to the single-build-system
ModuleHasDependencyclasses inopenrewrite/rewrite(commit919c9f5/ PR #6664) — these cross-build-system versions weren't updated alongside.Why
These recipes are used as preconditions in many declarative migration recipes — in the Spring Boot 4 recipe tree alone,
ModuleHasDependencyis a precondition in 11+ places acrossmockito.yml,spring-boot-20.yml,spring-boot-25.yml, andspring-cloud-2025.yml.Allocating a
DependencyInsightand running its Gradle + Maven visitors per source file is wasteful when all we need is a single boolean per module. With Sam's fix in place for the single-build-system versions, the cross-build-system wrappers became the remaining hot path.How
ModuleHasDependency#hasDependency(Tree)andRepositoryHasDependency#hasDependency(Tree)now:MavenResolutionResulton the tree's markers. If present, usefindDependencies(g, a, scope)with version-comparator filtering.GradleProjectand walkGradleDependencyConfiguration#getDirectResolved(), callingResolvedDependency#findDependency(g, a)to catch matches in the transitive tree.ModuleHasDependency's scanner additionally short-circuits the dependency lookup once theJavaProjectis already in the accumulator, avoiding redundant scans across the many source files in a module that has already matched.RepositoryHasDependencyretains its existing whole-repo short-circuit viaAtomicBoolean.Incidentally fixed: arg-order bug in RepositoryHasDependency
The previous
RepositoryHasDependencyconstructednew DependencyInsight(groupIdPattern, artifactIdPattern, scope, version), butDependencyInsight's signature is(groupId, artifactId, version, scope)— soscopeandversionwere silently swapped.ModuleHasDependencyalready had the correct order. The direct-lookup rewrite passes both values to the right places, so this bug is fixed by construction.Tests
rewrite-java-dependencies:testsuite passes.ModuleHasDependencyTestandRepositoryHasDependencyTestcover Maven-only, Gradle-only, mixed multi-module, direct/transitive, and version-glob cases.Follow-ups (not in this PR)
hasDependency(Tree)is byte-for-byte identical in both recipes; worth extracting to a shared package-private helper to prevent drift if scope handling, transitive walking, or version semantics ever change.RepositoryHasDependencyTestcase that sets bothscopeandversionto lock in the arg-order fix above.Semver.validate(version, null).getValue()is re-computed on everyhasDependencycall thoughversionis a recipe field; could be memoized once per recipe instance.