How to Build Java Applications Today #69
Java got security patches, 7 security vulnerabilities, we are 10 million Java developers, Spring bets on Gradle, and view Devoxx Belgium talks.
README
Welcome to my newsletter “How To Build Java Applications Today”! If you like it, then subscribe below for free! Or read it on dev.to or Medium. Even better: Share it with people who are interested!
Stand-Up
Last month, I was late by three days. This month, I’m one day early. How come?
I drive to Germany on November 2. Starting northwest of London in Milton Keynes, that’s about a 12-13 hour drive. Maybe a bit less since our Mercedes C-Class doesn’t have winter tires and can go faster than 200 km/h (124 miles/hour) on the famous German Autobahn. 😌 My wife works for Mercedes, so I’m obligated to tell you what a fine car that C-Class is. But it really is! 👍🏻
Anyhow, we’ll see my family and some of my wife’s. And we spend three spa days in this beautiful hotel in the Black Forest before driving back to the UK.
But we also make a stop in Munich for W-JAX Munich. I’ll talk about Google’s Flutter for Java developers there on November 8 — again. Say hi if you see me there!
I’m working on several articles and news items for InfoQ that should all be out before our next issue. Follow me on InfoQ if you can’t wait to read more from me!
Release Radar
Essential tool & technology releases: Java got security patches. Git and all frameworks — Spring Boot, Quarkus, Micronaut, DropWizard, and Helidon — had minor releases.
New & Noteworthy
Seven Security Vulnerabilities
Usually, you have one or two vulnerabilities a month. This month, we got seven!
Two Git vulnerabilities: We can upgrade Git to the latest version, 2.38.1, to fix this. Older, patched versions are 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, or 2.37.4.
Text4Shell vulnerability in Apache Commons Text: We need to upgrade to Apache Commons Text 1.10.0.
Two Spring Security vulnerabilities: There are two - here and here. To fix both, we need either Spring Security 5.6.9 or 5.7.5.
Reactor Netty vulnerability: Frameworks like Spring WebFlux and its WebClient use Reactor Netty. We need to upgrade to version 1.0.24.
OpenSSL vulnerability: If our projects use OpenSSL 3.0 - 3.0.5, then we need to upgrade to version 3.0.7 from November 1, 2022.
We are 10 Million Java Developers
I heard both 10 million and 12 million as the number of Java developers before. But now Oracle made it official at Java One by putting in on a slide: We are 10 million! It’s just too bad that we came in at the lower end of the range. 😩
In related news, there are 5 million Kotlin developers, according to Google. Most of them are on Android, though, not on the server.
Spring Bets On Gradle
The Spring Initializr lets us create Spring Boot projects easily. It now creates projects with Gradle by default instead of Maven.
Now that doesn’t influence our existing projects. What does, at least indirectly, is Spring’s reason: “Gradle is the future of build tools for Spring.” The GitHub issue below has a detailed list of reasons why they think Gradle is better for Spring.
So if you’re a Gradle fan — rejoice! If you’re a Maven fan — relax, you still lead Gradle by 2-3x.
I like Gradle for its brevity (compared to the “XML-ness” of Maven) and easy customization through code right in the build file. I don’t like how my build files sometimes break with new Gradle releases, though this seems to happen less. But that could be just my bias!
ArchUnit Verifies Code Organization
In Java, a public class is visible to all other classes. So how do we enforce rules like “Classes from the data repository package shouldn’t access classes in the controller package”? With ArchUnit!
ArchUnit has a Domain-Specific Language (DSL) that lets us encode the above rule:
ArchRule rule = noClasses().that()
.resideInAPackage("..repository..")
.should().dependOnClassesThat()
.resideInAPackage("..controller..");
And then, we can write JUnit tests that fail when somebody’s code violates the above rule.
The project has been around since 2017 and released version 1.0 in October. Spring Modulith uses it to verify its module structure.
View Talks from Devoxx Belgium
“Devoxx is a conference by developers, for developers.” True that! Now the original Devoxx conference comes from Belgium. It just took place again for the 19th time. And the talks are all on YouTube, too. Now for the more text-oriented readers, the button below shows talks & abstracts, but the videos are included, too.
James Gosling, the father of Java, talked about IoT there. Now he’s an experienced speaker. So I was a bit surprised to see that, apparently, he still got the jitters: His Apple Watch showed a workout during his talk! 😃
The UK version last May was terrific, too! Most of the talks are on YouTube. They’re six months old by now. But I think most hold up well!
GoF Design Patterns, Functional Style
Remember the design patterns craze in the late 90s and early 2000s? The book by the “Gang of Four” (Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides) started it all nearly 30 years ago. Its patterns are still in use today: Builder, singleton, facade, proxy, iterator, and so on.
The book had sample code in C++ and Smalltalk. Now the patterns have long been translated into Java. But the one & only Venkat Subramaniam recently showed what some of these patterns look like in Java in more functional Java.
Here’s a traditional iterator implementation:
int count = 0;
for(var name: names) {
if(name.length() == 4) {
System.out.println(name.toUpperCase());
count++;
if(count == 2) {
break;
}
}
}
}
And here it is in a functional style:
names.stream()
.filter(name -> name.length() == 4)
.map(String::toUpperCase)
.limit(2)
.forEach(System.out::println);
Slick, isn’t it? So read the article for other examples. Or brush up on the original patterns!
Side note: You know you’re old if you think of Erich Gamma as the “Eclipse guy”, not the “VS Code guy”. 😒
Technology Index (Last Update: October 2022)
Why Popularity - and How?
Picking a popular technology makes our developer life easier: easier to learn, easier to build, debug & deploy, easier to find jobs/hire, and easier to convince teammates & bosses. Now popularity can make a difference in two situations: When multiple technologies score similarly, we could go for the most popular one. And when a technology is very unpopular, we may not use it.
I measure popularity among employers and developers as the trend between competing technologies. I count mentions in job ads at Indeed for employer popularity. For developer popularity, I use Google searches, Udemy course buyers, and Stack Overflow questions.
IDEs
Popularity trend: Eclipse is the most popular Java IDE, though it has declined over many years. IntelliJ holds up well for a commercial product: Except for job ads, it’s neck-to-neck with Eclipse. NetBeans is the least popular IDE. VS Code isn’t a fully fledged Java IDE, but - apart from jobs - it’s 3–4 times as popular as Eclipse & IntelliJ.
If you don’t want to spend money, then use Eclipse.
If you may spend money, evaluate IntelliJ.
Evaluate VS Code for non-Java work, like web development (I use it for all my websites).
If you’re using NetBeans, consider moving off of it.
Build Tools
Popularity trend: Maven is 2.5 times as popular as Gradle, except for Stack Overflow, where Gradle is slightly ahead of Maven. Ant and sbt have declined for years.
If you use Scala, then use sbt.
Otherwise, if you absolutely cannot stand XML files and/or need to customize your build heavily, then use Gradle.
Otherwise, use Maven.
JVM Languages
Popularity trend: Java is #1, Kotlin #2, and Scala #3. Java lost 20% of its job ad mentions over the last five months but still leads Scala and Kotlin and its non-JVM competitors like Python or JavaScript. Scala's recent lead in job ad mentions over Kotlin shrinks. Kotlin leads Scala in all other categories. Groovy and Clojure have mostly declined for many years.
On your current project, keep your existing language unless that language is absolutely, really not working out for you.
If you need to switch languages or are on a new project:
Use Scala if you need functional programming.
Use Kotlin if you really need a “more modern Java”.
Otherwise, use the latest Java LTS version you, your team, and your application can take.
Databases
Popularity trend: MySQL is #1, Postgres #2, and MongoDB is #3. MySQL and MongoDB surged over the last three months in job ad mentions, with MySQL leading Postgres now 2:1 and MongoDB reaching 70% of Postgres' numbers.
On your current project, keep your existing database unless that database is absolutely, irrevocably, really not working out for you.
If you need to switch databases or are on a new project:
If you know that you’ll need the NoSQL features and/or scalability, and you can’t get this with MySQL, then use MongoDB.
Otherwise, use MySQL.
Back-End Frameworks
Popularity trend: Spring Boot remains the framework to beat and still grows in most categories. Despite a long decline, Jakarta EE leads Quarkus in all categories but questions at Stack Overflow, where Quarkus hits its all-time high. Quarkus also placed number three in job ad mentions after DropWizard’s collapse, while Micronaut is number four.
On your current project, keep your existing back-end framework unless that framework is absolutely, really not working out for you.
If you need to switch back-end frameworks or are on a new project:
Use Quarkus if you need the smallest possible, fastest-starting Java application now.
Otherwise, use Spring Boot.
Web Frameworks
Popularity trend: React is #1, Angular #2, and Vue #3. React leads Angular 1.4:1 in job ad mentions and pulls away from Angular in developer popularity. Vue holds steady in all categories at about half of Angular's level but catches up in job ad mentions and (more slowly) in students at Udemy.
If you already use React, Angular, or Vue in your project, then keep using them. Otherwise, evaluate a migration. In many (most?) cases, such migration doesn’t make business sense.
If you start a new project or migrate, then start with React first, Angular otherwise, and finally Vue.
Mobile App Frameworks
Popularity trend: React Native has 50% more apps on iOS but only leads Flutter in job ad mentions 1.5:1 after a steep decline in the last five months. Among developers, Flutter leads React Native 2:1 and pulls away (except for Google searches, where both slightly lost). Xamarin and JavaFX have generally declined for years.
Don’t build two separate applications with Apple’s and Google’s first-party frameworks. Use a cross-platform framework instead.
If you already use Flutter or React Native in your project, then keep using them. Otherwise, evaluate migration. In many (most?) cases, such a migration doesn’t make business sense.
If you start a new project or migrate and have used React before, then start with React Native first and use Flutter otherwise.
If you start a new project or migrate and have not used React, then begin with Flutter first and use React Native otherwise.
Next Issue: Wednesday, December 7, 2022
Thanks for reading this issue of “How to Build Java Applications Today“! Subscribe to it on Substack for free to receive the next issue automatically! My newsletter is published on the first Wednesday of every month.
About
Karsten Silz is the author of this newsletter. He is a full-stack Java developer (Spring Boot, Angular, Flutter) with 23 years of Java experience. Karsten has worked in Europe and the US and is also a contractor, author, and speaker. He got a Master’s degree in Computer Science at the Dresden University of Technology (Germany) in 1996.
Karsten co-founded a software start-up in the US in 2004. He led product development for 13 years and left after the company was sold successfully. Karsten then co-founded the UK SaaS start-up “Your Home in Good Hands” as CTO in 2020.
Karsten has this newsletter, a developer website, and a contractor site. He’s on LinkedIn, Twitter, Xing, and GitHub. Karsten is also a Java editor at InfoQ.