Dependency intelligence infrastructure for AI assistants and agents working with JVM projects. Traditional upgrade workflow: 1. Google "Spring Boot 2.7 to 3.2 migration guide" (5 minutes) 2. Read 50-page migration docs, cross-reference breaking changes (15 minutes) 3. Check Maven Central for compatible dependency versions (5 minutes) 4. Update pom.xml, compile, fix breaking changes (30 minutes) 5.
Add this skill
npx mdskills install arvindand/maven-tools-mcpComprehensive Maven dependency intelligence with excellent setup docs and real-world examples
1# Maven Tools MCP Server23[](https://openjdk.java.net/)4[](https://spring.io/projects/spring-boot)5[](https://modelcontextprotocol.io/)6[](LICENSE)7[](https://github.com/arvindand/maven-tools-mcp/releases)8[](https://hub.docker.com/r/arvindand/maven-tools-mcp)9[](https://hub.docker.com/r/arvindand/maven-tools-mcp)10[](https://github.com/arvindand/maven-tools-mcp/stargazers)1112Dependency intelligence infrastructure for AI assistants and agents working with JVM projects.1314## π― Why This Exists1516### The Developer Problem1718Traditional upgrade workflow:19201. Google "Spring Boot 2.7 to 3.2 migration guide" (5 minutes)212. Read 50-page migration docs, cross-reference breaking changes (15 minutes)223. Check Maven Central for compatible dependency versions (5 minutes)234. Update pom.xml, compile, fix breaking changes (30 minutes)245. Debug mysterious runtime errors from incompatible transitive dependencies (2 hours)2526**Total: ~3 hours, high error rate, production risks**2728### The Solution2930AI-powered workflow:31321. Ask your AI assistant: "Should I upgrade Spring Boot from 2.7.18 to 3.2.1? What will break?"332. Get instant analysis + migration plan:34 - Latest stable: 3.2.1 available35 - Breaking changes: `javax.*` β `jakarta.*`, Hibernate 5β6, Security API changes36 - Compatible dependency versions provided37 - Step-by-step migration plan with code fixes38 - Documentation links for each breaking change3940**Total: 30 seconds for complete plan, ~30 minutes for AI-assisted implementation vs 3+ hours manual**4142### The AI Agent Opportunity4344Traditional dependency bots (Renovate, Dependabot) can update version numbers but can't fix the code when APIs break.4546**AI agents with Maven Tools MCP can:**4748- Detect outdated dependencies49- Understand breaking changes (via documentation lookup)50- Update both version numbers AND fix code changes51- Run tests and debug failures52- Create PRs with complete, working upgrades5354**This is infrastructure for the next generation of automated dependency management.**5556## β‘ See It In Action5758### Interactive Development (Primary Use Case)59606162**Developer β GitHub Copilot Chat (VS Code):** "Check all latest versions of the dependencies in my pom.xml"6364**Copilot (via MCP):** Instantly analyzes all dependencies and provides:6566- Current version vs latest available67- Stability classification (stable/RC/beta/etc.)68- Update recommendations (major/minor/patch)69- Security and compatibility insights70- Complete upgrade guidance7172**Time:** Seconds vs minutes of manual checking73**Confidence:** High (real-time data from Maven Central)7475### AI Agent Automation (Emerging Use Case)7677<!-- TODO: Add AI agent workflow diagram here -->7879**Developer β Aider/Claude Code:** "Upgrade my Spring Boot project from 2.7 to 3.2"8081**AI Agent workflow:**82831. Scans pom.xml with Maven Tools MCP842. Identifies Spring Boot 2.7.18 β 3.2.1 available853. Fetches documentation (via Context7) for breaking changes864. Updates pom.xml versions875. Fixes code: `javax.*` β `jakarta.*`, deprecated APIs, config changes886. Runs tests, debugs failures897. Creates PR with working upgrade9091Traditional bots stop at step 4. AI agents complete the job.9293See also: [`π€ Dogfooding: Weekly Self-Updating Dependencies`](#-dogfooding-weekly-self-updating-dependencies) for the real in-repo GitHub Actions + agent workflow that applies this pattern to Maven Tools MCP itself.9495## π¬ Real-World Examples9697### Starting a New Feature9899**Ask:** "I'm building a REST API for IoT data ingestion. I need high-throughput JSON parsing, time-series data structures, and async HTTP client. What libraries should I use with Spring Boot 3.2?"100101**Get:**102103- Jackson 2.17.0 for JSON (included in Spring Boot)104- Chronicles Wire 2.25.x for time-series105- Spring WebClient (reactive, built-in)106- Complete dependency blocks with reasoning107108**Result:** Production-ready stack in 30 seconds vs hours of research109110### Choosing Between Alternatives111112**Ask:** "Should I use Redis or Caffeine for caching ~10k req/min in Spring Boot?"113114**Get:** Comparative analysis:115116- Caffeine recommended for your throughput117- In-memory, sub-millisecond latency118- Latest version: 3.1.8119- Use Redis only if multi-instance with shared state120- Complete reasoning + dependency blocks for both options121122**Result:** Architectural decision made with confidence, not guesswork123124### Reviewing Upgrade PRs125126**Ask:** "This Renovate PR upgrades Spring Boot 2.7.18 β 3.2.1. What will break?"127128**Get:** Breaking change analysis:129130- `javax.*` β `jakarta.*` namespace migration131- Hibernate 5.6 β 6.4 (query syntax changes)132- Spring Security config API changes133- Compatible dependency versions provided134135**Result:** Know before merging, not after production breaks136137### Security Response138139**Ask:** "Check these dependencies for CVEs and show me safe upgrade paths: org.springframework:spring-core:5.3.20, com.fasterxml.jackson.core:jackson-databind:2.13.3"140141**Get:**142143- Spring Core 5.3.20: CVE-2023-20861 (RCE) - Upgrade to 5.3.30+144- Jackson 2.13.3: CVE-2022-42003 (DoS) - Upgrade to 2.13.5+145- Latest compatible versions with Spring Boot provided146147**Result:** Immediate vulnerability awareness with clear remediation path148149### Bulk Project Analysis150151**Ask:** "Analyze my project's dependency health" (paste pom.xml)152153**Get:** Health report:154155- 3 dependencies with CVEs (critical: 1, high: 2)156- 5 dependencies >2 years old (maintenance concern)157- 2 GPL dependencies (license risk)158- Recommended upgrades with stability classification159160**Result:** Complete project health snapshot in <2 seconds161162## π Quick Setup163164### Claude Desktop165166**Prerequisites:** Docker installed and running167168**Step 1:** Locate your Claude Desktop configuration file169170- **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`171- **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`172- **Linux:** `~/.config/Claude/claude_desktop_config.json`173174**Step 2:** Add this configuration:175176```json177{178 "mcpServers": {179 "maven-tools": {180 "command": "docker",181 "args": [182 "run", "-i", "--rm",183 "arvindand/maven-tools-mcp:latest"184 ]185 }186 }187}188```189190Optional: export `CONTEXT7_API_KEY` before launching Claude Desktop and add `"-e", "CONTEXT7_API_KEY"` to the Docker args if you want to pass a Context7 API key (recommended for auth-required environments and future-proofing). If you don't need Context7 raw tools, use `arvindand/maven-tools-mcp:latest-noc7`.191192**Step 3:** Restart Claude Desktop193194**Note:** The Docker image supports both AMD64 (Intel/AMD) and ARM64 (Apple Silicon) architectures.195196**Available Image Variants:**197198| Tag | Transport | Context7 | Use Case |199|-----|-----------|----------|----------|200| `:latest` | STDIO | Yes | Default for Claude Desktop, Copilot |201| `:latest-noc7` | STDIO | No | Corporate networks blocking Context7 |202| `:latest-http` | HTTP | Yes | Streamable HTTP transport variant |203204**Troubleshooting:** If your network blocks `https://mcp.context7.com` or you want to disable raw Context7 tools entirely, use: `arvindand/maven-tools-mcp:latest-noc7`205206### VS Code + GitHub Copilot207208**Workspace config** - Create `.vscode/mcp.json`:209210```json211{212 "servers": {213 "maven-tools": {214 "type": "stdio",215 "command": "docker",216 "args": ["run", "-i", "--rm", "arvindand/maven-tools-mcp:latest"]217 }218 }219}220```221222Optional: add `"-e", "CONTEXT7_API_KEY"` before the image name if you want to pass a Context7 API key.223224**Usage:** Open Chat view (Ctrl+Alt+I), enable Agent mode, use Tools button to enable Maven tools.225226### Native Binary (No Docker)227228For JVM environments or Docker-restricted systems, build the JAR locally:229230```bash231# Clone and build232git clone https://github.com/arvindand/maven-tools-mcp.git233cd maven-tools-mcp234./mvnw clean package -DskipTests235236# Configure Claude Desktop237{238 "mcpServers": {239 "maven-tools": {240 "command": "java",241 "args": ["-jar", "/absolute/path/to/target/maven-tools-mcp-2.0.5.jar"]242 }243 }244}245```246247See [Build from Source](#build-from-source-for-contributors) for detailed build options.248249## π― When To Use This250251### β Perfect For252253**Interactive Development:**254255- Starting new projects (get complete dependency stack recommendations)256- Adding features (instant library recommendations while coding)257- Technology decisions (expert comparison between alternatives)258- Upgrade planning (understand breaking changes before starting)259- Security audits (CVE detection before adoption)260- License compliance (avoid GPL surprises)261262**AI Agent Automation:**263264- Automated dependency upgrades with code fixes (Aider, Claude Code)265- Intelligent dependency selection in code generation266- Breaking change analysis and remediation267- Security vulnerability remediation workflows268269**Enterprise Use Cases:**270271- Bulk dependency analysis across projects272- Security compliance reporting273- License audit automation274- Dependency health monitoring275276### β Not For277278- **Non-JVM projects** (currently Maven Central only)279- **Private repositories** (Maven Central only)280- **Simple version lookups** if you just need maven.org search (overkill)281282## π§ Supported Build Tools283284Working with **any build tool** that uses Maven Central Repository:285286| Build Tool | Dependency Format | Example Usage |287|------------|------------------|---------------|288| **Maven** | `groupId:artifactId:version` | `org.springframework:spring-core:6.2.8` |289| **Gradle** | `implementation("group:artifact:version")` | Uses same Maven coordinates |290| **SBT** | `libraryDependencies += "group" % "artifact" % "version"` | Same groupId:artifactId format |291| **Mill** | `ivy"group:artifact:version"` | Same Maven Central lookup |292293**All tools use standard Maven coordinates** - just provide `groupId:artifactId` and we handle the rest.294295## π€ Dogfooding: Weekly Self-Updating Dependencies296297Maven Tools MCP runs its own dependency agent against itself every week β a live demonstration of AI-agent automation for Maven dependency management.298299If you want the conceptual version first, see [`AI Agent Automation (Emerging Use Case)`](#ai-agent-automation-emerging-use-case) above, then compare it with the concrete workflow below.300301### How It Works302303A scheduled GitHub Actions workflow ([`dependency-agent-self-update.yml`](.github/workflows/dependency-agent-self-update.yml)):3043051. Starts the Maven Tools MCP HTTP sidecar (`arvindand/maven-tools-mcp:latest-http`; `CONTEXT7_API_KEY` is optional and can be passed when you want to authenticate raw Context7 tools)3062. Runs the [`copilot-maven-tools-agent`](agents/copilot-maven-tools-agent/) against the root `pom.xml`3073. Applies all stable minor/patch updates automatically3084. Creates or updates a persistent PR branch (`bot/dependency-agent-self-update`) via GitHub Actions3095. Repo CI validates the build on the PR310311Major version updates are surfaced in the workflow log but not auto-applied β those require manual review.312313### Agent Location314315The dependency agent lives at [`agents/copilot-maven-tools-agent/`](agents/copilot-maven-tools-agent/). It is a Python subproject built with the **GitHub Copilot SDK** and Maven Tools MCP for dependency intelligence.316317### Why the Copilot SDK (Not the Copilot Agent)?318319The agent is implemented using the **GitHub Copilot SDK** directly β not the higher-level Copilot agent/extension. This was a deliberate choice: the Copilot agent approach was considered but the SDK gives full control over the MCP client lifecycle, making the architecture easy to extend to other AI platforms. Swapping the Copilot SDK client for a GitLab Duo client, an Azure OpenAI client, or any other provider requires changing only the AI client layer β the POM parsing, MCP tool calls, and upgrade logic remain identical. The agent is designed to serve as a reference implementation for SDK-based MCP integrations across platforms.320321### Parallel to GitHub Agentic Workflows322323This follows a similar shape to GitHub Agentic Workflows: GitHub Actions orchestrates a bounded AI-agent task and the output is a reviewable PR. The difference is that this repo uses a hand-authored workflow YAML plus a purpose-built Python agent (Copilot SDK + Maven Tools MCP), rather than authoring in Markdown and compiling via `gh aw`.324325### Required Setup326327To enable the weekly workflow in your fork or copy of this repo:3283291. Create a fine-grained PAT named `COPILOT_BOT_PAT` with:330 - **Repository permissions:** Contents (write), Pull requests (write), Metadata (read)331 - **GitHub Copilot:** Requests permission3322. Add it as a repository secret under **Settings β Secrets β Actions**333334### Manual Trigger335336Run the workflow manually at any time:337338**Via GitHub UI:** Go to **Actions β Dependency Agent Self-Update β Run workflow**339340**Via GitHub CLI:**341342```bash343gh workflow run dependency-agent-self-update.yml344# Or with dry-run (analyze only, no PR):345gh workflow run dependency-agent-self-update.yml -f dry_run=true346```347348## π Available Tools (10 Tools)349350### Core Maven Intelligence Tools (8 tools)351352| Tool | Purpose | Key Features |353|------|---------|--------------|354| `get_latest_version` | Get newest version by type with stability preferences | stabilityFilter parameter (ALL/STABLE_ONLY/PREFER_STABLE) |355| `check_version_exists` | Verify if specific version exists with type info | Version type classification |356| `check_multiple_dependencies` | Bulk lookup (NO versions in input) | stabilityFilter parameter, bulk operations |357| `compare_dependency_versions` | Bulk upgrade check (versions REQUIRED) | includeSecurityScan (OSV.dev), Context7 guidance |358| `analyze_dependency_age` | Classify dependencies as fresh/current/aging/stale | maxAgeInDays threshold, Context7 guidance |359| `analyze_release_patterns` | Analyze maintenance activity and predict releases | monthsToAnalyze parameter, velocity trends |360| `get_version_timeline` | Enhanced version timeline with temporal analysis | versionCount parameter, release gap detection |361| `analyze_project_health` | Bulk project health audit (PREFERRED for full audits) | includeSecurityScan (OSV.dev), includeLicenseScan |362363### Raw Context7 Documentation Tools (2 tools - Enabled by Default)364365| Tool | Purpose | Key Features |366|------|---------|--------------|367| `resolve-library-id` | Search for library documentation | Requires `query` and `libraryName` parameters |368| `query-docs` | Get library documentation by ID | Uses `libraryId` and `query` parameters |369370### Tool Parameters371372**Stability Filter (v2.0.0+):**373374- `stabilityFilter` - Unified stability filtering with enum values:375 - `ALL` - Include all version types (default for most operations)376 - `STABLE_ONLY` - Filter to production-ready versions only377 - `PREFER_STABLE` - Prioritize stable versions, include others too (default for get_latest_version)378379**Analytical Parameters:**380381- `maxAgeInDays` - Set acceptable age threshold for dependencies382- `monthsToAnalyze` - Specify analysis period for release patterns (default: 24)383- `versionCount` - Number of recent versions to analyze in timeline (default: 20)384385**Security & License Parameters:**386387- `includeSecurityScan` - Include OSV.dev vulnerability scanning (default: true)388- `includeLicenseScan` - Include license detection/analysis (default: true)389390**Context7 Integration:**391392Context7 integration is **enabled by default** (`context7.enabled=true`). Maven tools automatically include explicit orchestration instructions in response models when upgrades or modernization are needed. Additionally, the server acts as an MCP client to expose raw Context7 tools (`resolve-library-id`, `query-docs`) directly to your AI assistant. A Context7 API key is **optional** for Context7-enabled images and can be provided via `context7.api-key` or the `CONTEXT7_API_KEY` environment variable (recommended for auth-required environments, rate limits, and future-proofing). When disabled, responses contain only core dependency analysis without orchestration instructions or Context7 tools.393394### Detailed Tool Documentation395396For complete parameter documentation and examples for each tool, see the [current README sections 201-406](README.md#get_latest_version).397398## π‘ Key Capabilities399400### π Intelligence, Not Just Lookup401402**Stability Classification:**403404- Automatically classifies versions: `stable` / `rc` / `beta` / `alpha` / `milestone` / `snapshot`405- Configurable filtering: show only stable, prefer stable, or show all406- Production-safe defaults407408**Comparative Analysis:**409410- Compare current vs latest versions411- Understand upgrade impact (major/minor/patch)412- Breaking change awareness via documentation integration413414**Temporal Analysis:**415416- Age classification: fresh (<6mo), current (<1yr), aging (<2yr), stale (>2yr)417- Release velocity trends (accelerating/stable/declining)418- Maintenance health indicators419420### π Security & Compliance421422**CVE Vulnerability Scanning:**423424- Powered by OSV.dev (Google's Open Source Vulnerabilities database)425- Scans against known CVEs in Java ecosystem426- Severity ratings and remediation guidance427- Bulk scanning for entire projects428429**License Compliance:**430431- Automatic license detection432- GPL/LGPL identification (legal risk flagging)433- License compatibility analysis434- Enterprise compliance reporting435436### β‘ Performance437438**Production-Ready Speed:**439440- Single dependency: <100ms (cached)441- Bulk 20+ dependencies: <500ms442- Native image startup: <50ms443- Zero warm-up time (Spring AOT + GraalVM)444445**Intelligent Caching:**446447- Maven metadata cached with smart invalidation448- Context7 results cached449- Reduces Maven Central load450- Sub-second responses for repeated queries451452### π€ AI-Optimized Responses453454**Structured for AI Consumption:**455456- Clean JSON responses (no HTML parsing needed)457- Explicit orchestration instructions (guides AI tool usage)458- Rich metadata (downloads, licenses, CVEs, age, stability)459- Comparative analysis built-in460461**Guided Delegation Pattern:**462463Maven Tools MCP provides explicit instructions:464465```466"If you need Hibernate documentation, use Context7:4671. Call resolve-library-id with 'hibernate'4682. Use returned ID to call query-docs4693. If Context7 unavailable, fall back to web_search"470```471472Result: AI assistants orchestrate tools effectively473474## π Why This Is Different475476### vs Manual Googling / StackOverflow477478| Aspect | Manual Search | Maven Tools MCP |479|--------|---------------|-----------------|480| Time for single dependency | 3-10 minutes | 10 seconds |481| Data freshness | Varies (often outdated) | Always current (direct from Maven Central) |482| Compatibility verification | Manual cross-checking | Automatic for your framework version |483| Security awareness | Manual CVE lookup | Built-in OSV.dev scanning |484| License compliance | Manual license reading | Automatic detection + risk flagging |485| Context switching | Leave IDE β Browser | Stay in AI assistant |486487### vs IDE Dependency Search488489| Capability | IDE Search | Maven Tools MCP |490|------------|-----------|-----------------|491| Find dependency | β Basic search | β Intelligent search |492| Version recommendations | β Show all versions | β Recommend best version with reasoning |493| Comparative analysis | β | β Compare alternatives (Redis vs Caffeine) |494| Breaking change awareness | β | β Via documentation integration |495| Security scanning | β οΈ Limited | β Full CVE scanning |496| Bulk operations | β | β Analyze 20+ deps in <500ms |497| AI-friendly | β GUI only | β Structured API for AI |498499### vs Dependency Management Bots500501**Traditional bots (Renovate, Dependabot):**502503Automated PR Creation:504505- β Scan existing pom.xml for outdated dependencies506- β Update version numbers507- β Create PR508- β Fix broken code509- β Interactive during development510- β Technology selection advice511- β Comparative analysis512513Use case: Automated maintenance of existing dependencies514515**AI Agents + Maven Tools MCP:**516517Intelligent Automation:518519- β Scan dependencies520- β Update versions521- β Fix breaking code changes (javaxβjakarta, deprecated APIs)522- β Debug test failures523- β Interactive during development524- β Technology recommendations525- β Comparative analysis526527Use case: Complete automation + developer assistance528529**They're different categories:**530531- Dependency bots = Automation (no human in loop after setup)532- Maven Tools MCP = Intelligence infrastructure (enables human + AI decisions)533534Can coexist. Or AI agents may replace bots for complex upgrades. Both valid strategies.535536## β¨ Advanced Examples537538### Dependency Age Analysis539540**Usage:** *"How old is my Spring Boot dependency and should I update it?"*541**Tool:** `analyze_dependency_age`542543```json544{545 "dependency": "org.springframework.boot:spring-boot-starter",546 "age_classification": "current",547 "days_since_release": 45,548 "recommendation": "Actively maintained - consider updating if needed"549}550```551552### Release Pattern Analysis553554**Usage:** *"What's the maintenance pattern for Jackson? When might the next release be?"*555**Tool:** `analyze_release_patterns`556557```json558{559 "dependency": "com.fasterxml.jackson.core:jackson-core",560 "maintenance_level": "active",561 "release_velocity": 1.2,562 "next_release_prediction": "Expected in 3 weeks"563}564```565566### Project Health Check567568**Usage:** *"Give me a health assessment for all my key dependencies"*569**Tool:** `analyze_project_health`570571```json572{573 "overall_health": "good",574 "average_health_score": 78,575 "age_distribution": {"fresh": 2, "current": 8, "aging": 3, "stale": 1}576}577```578579### Version Timeline Intelligence580581**Usage:** *"Show me the recent release timeline for JUnit with gap analysis"*582**Tool:** `get_version_timeline`583584```json585{586 "insights": ["High release frequency indicates active development"],587 "recent_activity": {"activity_level": "active", "releases_last_quarter": 4}588}589```590591## π§ Custom Commands & Prompts592593This project includes pre-built commands and prompts for common dependency management tasks.594595### Claude Code Slash Commands596597Located in `.claude/commands/`, these commands work with Claude Code CLI:598599| Command | Description |600|----------------|------------------------------------------------------|601| `/deps-check` | Quick version lookup for dependencies |602| `/deps-health` | Full health audit with security + license analysis |603| `/deps-upgrade`| Upgrade recommendations with breaking change warnings|604| `/deps-age` | Freshness and maintenance activity analysis |605606**Usage Examples:**607608```bash609# Check versions for specific dependencies610/deps-check org.springframework:spring-core,com.google.guava:guava611612# Full health audit of your project613/deps-health614615# Get upgrade plan for current dependencies616/deps-upgrade org.springframework:spring-core:6.0.0,junit:junit:4.13.2617```618619### GitHub Copilot Prompts620621Located in `.github/prompts/`, these work with GitHub Copilot Chat:622623| Prompt | Description |624|------------------------|----------------------------------------------------|625| `dependency-audit.md` | Comprehensive dependency audit with health scoring |626| `security-scan.md` | CVE vulnerability scanning with remediation plan |627| `upgrade-plan.md` | Phased upgrade plan with breaking change analysis |628629**Usage:** Reference these prompts in Copilot Chat or use them as templates for your own dependency management workflows.630631## π€ Frequently Asked Questions632633### General634635**Q: What problem does this solve?**636A: Eliminates the time-consuming, error-prone process of manually researching dependencies. Provides instant, expert recommendations through your AI assistant so you stay in flow instead of context-switching to Google/Maven Central/documentation sites.637638**Q: Who should use this?**639A: Java/Kotlin/Scala developers using AI assistants (Claude, Copilot, Cursor) for development. Especially valuable when starting projects, adding features, making technology decisions, or working with AI agents for automation.640641**Q: Does this replace my IDE's dependency management?**642A: No. Your IDE still manages the actual dependencies in your project. This provides intelligent recommendations and analysis through conversational AI interfaces. Think of it as an expert consultant, not a replacement for your build tool.643644### Technical645646**Q: How is the data so current?**647A: Direct integration with Maven Central Repository. We fetch maven-metadata.xml files directly from repo.maven.apache.org in real-time. No database, no stale data. Cached intelligently to reduce load.648649**Q: Does it work with private Maven repositories?**650A: Currently Maven Central only. Private repository support is on the roadmap. For internal libraries, you can still use web search as fallback.651652**Q: What about Gradle/SBT/other build tools?**653A: Works with all JVM build tools because they all use Maven Central as the canonical repository. The tool speaks Maven coordinates (groupId:artifactId), which are universal across JVM build systems.654655**Q: How accurate is the CVE scanning?**656A: Powered by OSV.dev (Google's Open Source Vulnerabilities database), which aggregates CVE data from NVD, GitHub Security Advisories, and other sources. High accuracy, but always verify critical findings through official channels.657658**Q: Can I self-host this?**659A: Yes. Docker image available, or run the JAR/native binary directly. No external dependencies except Maven Central and optional OSV.dev/Context7. See deployment docs for details.660661### AI Agents & Automation662663**Q: Can this replace Renovate/Dependabot?**664A: Different use cases. Traditional bots excel at automated PR creation for routine updates. AI agents with Maven Tools MCP excel at complex upgrades requiring code changes. Both valid approaches. Some teams may prefer AI agents for everything, others use both. Your choice.665666**Q: What AI agents work with this?**667A: Any MCP-compatible agent: Aider, Claude Code (via Claude Desktop), Cursor, or custom agents using the MCP protocol. Integration requires MCP support.668669**Q: How do AI agents use this for automated upgrades?**670A: Agents use the tools to scan dependencies, check versions, understand breaking changes (via Context7), then update both version numbers and code. Example: javaxβjakarta migration during Spring Boot 2β3 upgrade. The agent fixes both.671672### Usage & Workflow673674**Q: Do I need to use this for every dependency lookup?**675A: No. Use it when you need intelligent recommendations or bulk analysis. For trivial lookups (you already know exactly what you want), just add the dependency directly. This is for decision-making scenarios.676677**Q: How much time does this actually save?**678A: Conservative estimate: 5-10 minutes per dependency decision (research, compatibility check, security verification). Heavy users report saving hours per week. The real win is staying in flow vs context-switching.679680**Q: Does it work offline?**681A: No. Requires internet access to Maven Central. Cached results work offline for previously-queried dependencies, but first query requires network access.682683**Q: What's the Context7 integration about?**684A: Context7 provides up-to-date library documentation and code examples. Maven Tools MCP includes guided orchestration - it tells your AI assistant when and how to use Context7 for documentation needs. Falls back to web search if Context7 is unavailable.685686## π’ Enterprise Considerations687688### Security689690- β No credentials required - read-only access to public Maven Central691- β TLS for all connections - encrypted communication692- β No data persistence - stateless, no storage of queries or results693- β CVE scanning - proactive vulnerability detection694- β License compliance - automated legal risk flagging695696### Performance & Scale697698- β Sub-second responses - <100ms cached, <500ms fresh699- β Horizontal scaling - stateless design, run multiple instances700- β Efficient caching - reduces Maven Central load701- β Native images - <50ms startup, lower resource usage702- β Production-proven - Spring Boot battle-tested infrastructure703704### Compliance & Governance705706- β License detection - automatic GPL/LGPL flagging707- β Audit trail - Spring Boot logging integration708- β Corporate proxy support - works behind firewalls709- β Custom certificates - SSL inspection compatibility710- β Self-hostable - no SaaS dependency711712## π§ Troubleshooting713714### Context7 Connection Issues715716**Symptom:** Context7 raw tools fail or are unavailable in Context7-enabled images717**Cause:** A network that blocks <https://mcp.context7.com> or an environment where Context7 requires auth and no API key is provided718**Solution (skip Context7 raw tools):** Use Context7-free image:719720```json721{722 "mcpServers": {723 "maven-tools": {724 "command": "docker",725 "args": ["run", "-i", "--rm", "arvindand/maven-tools-mcp:latest-noc7"]726 }727 }728}729```730731**Solution (keep Context7 enabled):** `CONTEXT7_API_KEY` is optional, but if your environment requires Context7 auth (or you want to avoid anonymous limits), export it and pass it through Docker with `-e CONTEXT7_API_KEY` in your MCP client config.732733### SSL Inspection / Corporate Certificates734735**Symptom:** SSL handshake failures, certificate errors736**Cause:** Corporate MITM proxy with custom CA certificates737**Solution:** Build custom image with corporate certificates - see [CORPORATE-CERTIFICATES.md](CORPORATE-CERTIFICATES.md)738739### Slow First Query740741**Symptom:** First query takes 2-3 seconds742**Cause:** Cold start + uncached Maven Central request743**Expected behavior:** Subsequent queries <100ms (cached). This is normal.744745### Docker Permission Issues746747**Symptom:** "permission denied" when running Docker command748**Solution:**749750```bash751# Linux: Add user to docker group752sudo usermod -aG docker $USER753# Then logout/login754755# Windows/Mac: Ensure Docker Desktop is running756```757758## π¬ Technical Architecture759760### Design Principles761762**1. Zero External State**763764- Stateless Spring Boot application765- All data from Maven Central (no database)766- Idempotent operations767- Horizontally scalable768769**2. Fail-Fast with Graceful Degradation**770771- Context7 unavailable? Provide fallback instructions772- OSV.dev timeout? Return results without CVE data773- Network issues? Clear error messages774- No silent failures775776**3. Production-Ready Performance**777778- Spring AOT + GraalVM native images779- HTTP client connection pooling780- Smart caching strategies781- <50ms startup time (native)782783### How It Works784785```786AI Assistant β MCP Protocol β Maven Tools MCP Server787788Workflow:7891. AI assistant parses user request and extracts dependency coordinates7902. AI assistant calls MCP tool with coordinates (groupId:artifactId)7913. Server fetches maven-metadata.xml from Maven Central7924. Server parses XML, classifies versions by stability7935. Optionally: Server queries OSV.dev for CVEs7946. Optionally: Server fetches license from POM7957. Server returns structured JSON to AI assistant7968. AI assistant interprets results and responds to user797798Response time: <100ms (cached), <500ms (fresh)799```800801### Deployment Options802803**Docker STDIO (Recommended for Desktop):**804805- Multi-arch support (AMD64 + ARM64)806- Automatic platform selection807- Isolated environment808- `docker run -i --rm arvindand/maven-tools-mcp:latest`809- Optional (pass Context7 API key): `docker run -i --rm -e CONTEXT7_API_KEY arvindand/maven-tools-mcp:latest`810811**Docker HTTP (Streamable HTTP Transport):**812813- HTTP-based MCP protocol on port 8080814- Health probes: `/actuator/health/liveness`, `/actuator/health/readiness`815- `docker run -p 8080:8080 arvindand/maven-tools-mcp:latest-http`816- Optional (pass Context7 API key): `docker run -p 8080:8080 -e CONTEXT7_API_KEY arvindand/maven-tools-mcp:latest-http`817818**Native Image:**819820- <50ms startup821- Lower memory footprint (~100MB vs 500MB JVM)822- Platform-specific binaries823- Download from [Releases](https://github.com/arvindand/maven-tools-mcp/releases)824825**JVM JAR:**826827- Maximum compatibility828- Dynamic configuration829- ~200ms startup830- `java -jar maven-tools-mcp.jar`831832### Network Requirements833834**Outbound HTTPS to:**835836- `repo1.maven.org` (Maven Central metadata)837- `api.osv.dev` (CVE vulnerability data)838- `mcp.context7.com` (optional documentation)839840**Corporate Networks:**841842- Proxy configuration supported843- Custom CA certificates supported (see [CORPORATE-CERTIFICATES.md](CORPORATE-CERTIFICATES.md))844- Context7-free builds available (`arvindand/maven-tools-mcp:latest-noc7`)845- HTTP transport variant (`arvindand/maven-tools-mcp:latest-http`)846847## Alternative Setup Methods848849### Using Docker Compose850851**Alternative Claude Desktop configuration** (if you prefer compose):852853Download `docker-compose.yml` and configure:854855```json856{857 "mcpServers": {858 "maven-tools": {859 "command": "docker",860 "args": [861 "compose", "-f", "/absolute/path/to/docker-compose.yml",862 "run", "--rm", "maven-tools-mcp"863 ]864 }865 }866}867```868869**For development/testing only:**870871```bash872docker compose up -d # Runs server in background for testing873```874875### Build from Source (for contributors)876877**Prerequisites:**878879- Java 24880- Maven 3.9+881882```bash883# Clone the repository884git clone https://github.com/arvindand/maven-tools-mcp.git885cd maven-tools-mcp886887# Quick build (CI-friendly - unit tests only)888./mvnw clean package -Pci889890# Full build with all tests (requires network access)891./mvnw clean package -Pfull892893# Run the JAR894java -jar target/maven-tools-mcp-2.0.5.jar895```896897**Claude Desktop configuration for JAR:**898899```json900{901 "mcpServers": {902 "maven-tools": {903 "command": "java",904 "args": [905 "-jar",906 "/absolute/path/to/maven-tools-mcp-2.0.5.jar"907 ]908 }909 }910}911```912913### Build Scripts914915For easier builds, use the provided scripts in the `build/` folder:916917**Linux/macOS:**918919```bash920cd build921./build.sh # Complete build helper922./build-docker.sh # Docker-focused helper923```924925**Windows:**926927```cmd928cd build929build.cmd # Complete build helper930build-docker.cmd # Docker-focused helper931```932933## Configuration934935The server can be configured via `application.yaml`:936937```yaml938# Cache configuration939spring:940 cache:941 type: caffeine942943# Maven Central Repository settings944maven:945 central:946 repository-base-url: https://repo1.maven.org/maven2947 timeout: 10s948 max-results: 100949950# Logging (minimal for MCP stdio transport)951logging:952 level:953 root: ERROR954```955956## Technical Details957958- **Framework**: Spring Boot 3.5.11 with [Spring AI MCP](https://docs.spring.io/spring-ai/reference/api/mcp.html)959- **MCP Protocol**: 2025-06-18960- **Java Version**: 24961- **Transport**: stdio962- **HTTP Client**: OkHttp 5.3.2 with HTTP/2 support963- **Cache**: Caffeine (24-hour TTL, 2000 entries max)964- **Resilience**: Circuit breaker, retry, and rate limiter patterns965- **Data Source**: Maven Central Repository (maven-metadata.xml files)966967## References & Resources968969### Model Context Protocol (MCP)970971- **Official Website**: [modelcontextprotocol.io](https://modelcontextprotocol.io/)972- **GitHub Repository**: [modelcontextprotocol/specification](https://github.com/modelcontextprotocol/specification)973- **Protocol Documentation**: [MCP Specification](https://spec.modelcontextprotocol.io/)974975### Spring AI MCP976977- **Documentation**: [Spring AI MCP Reference](https://docs.spring.io/spring-ai/reference/api/mcp/mcp-overview.html)978- **GitHub**: [spring-projects/spring-ai](https://github.com/spring-projects/spring-ai)979980### Maven Central Repository981982- **Repository**: [repo1.maven.org](https://repo1.maven.org/maven2/)983- **Metadata Format**: [Maven Metadata XML Reference](https://maven.apache.org/ref/3.9.6/maven-repository-metadata/)984- **Search API**: [search.maven.org](https://search.maven.org/) (not used in v1.4.0+)985986### Context7 MCP Server987988- **GitHub Repository**: [upstash/context7](https://github.com/upstash/context7)989- **NPM Package**: [@upstash/context7-mcp](https://www.npmjs.com/package/@upstash/context7-mcp)990- **Documentation**: [Upstash Context7 Blog](https://upstash.com/blog/context7-mcp)991992## π Community & Discussion993994**Blog Posts:**995996- [How I Connected Claude to Maven Central (and Why You Should Too)](https://dev.to/arvindand/how-i-connected-claude-to-maven-central-and-why-you-should-too-2clo)997- [Guided Delegation: Adding Context7 Documentation to My Maven Tools MCP Server](https://dev.to/arvindand/guided-delegation-adding-context7-documentation-to-my-maven-tools-mcp-server-572l)998999### Get Involved10001001- π¬ **Discuss:** Share your experiences and ask questions [on dev.to](https://dev.to/arvindand/how-i-connected-claude-to-maven-central-and-why-you-should-too-2clo)1002- π **Issues:** [Report bugs or request features](https://github.com/arvindand/maven-tools-mcp/issues)1003- β **Support:** Star this repo if it improves your workflow10041005## License10061007This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.10081009## Author10101011Arvind Menon10121013- GitHub: [@arvindand](https://github.com/arvindand)1014- Version: 2.0.51015
Full transparency β inspect the skill content before installing.