Skip to content

arvindand/maven-tools-mcp

MCP Developer Tools

A Maven‑Central powered server that provides structured JVM dependency metadata (versions, stability, CVEs, licenses) to MCP clients via Docker or direct invocation

Track releases GitHub Website
Java Latest v3.0.1 · 19d ago Security brief →

Features

  • Lookup latest stable versions of any Maven coordinate with stability filtering
  • Bulk compare current dependencies against what's available on Maven Central
  • Generate deterministic upgrade plans (major/minor/patch context, conflict handling) without building the project
  • Expose CVE, license, and maintenance signals in a machine‑readable format for agents or AI assistants
  • Support multiple transport modes: STDIO Docker container, HTTP endpoint, and variants with/without Context7 integration

Recent releases

View all 11 releases →
No immediate action
v3.0.1 Bug fix

Pre‑release qualifier classification

Open
Review required
v3.0.0 Breaking risk
Dependencies

Removed get_version_timeline

Open
Upgrade now
v2.1.1 Breaking risk
Dependencies Breaking upgrade

MCP SDK BOM removal

Open
v2.1.0 New feature
Notable features
  • Bearer and Basic auth support via OkHttp interceptor for private repositories
  • Configuration properties `maven.central.auth.type`, `maven.central.auth.username`, `maven.central.auth.password`, `maven.central.auth.token`
  • Full compatibility of authentication config with GraalVM native images
Full changelog

Private Repository Authentication

Adds support for private Maven repositories (Nexus, Artifactory, GitHub Packages) with configurable authentication. Works with both JVM and native Docker images.

Added

  • Repository Authentication: Bearer and Basic auth support via OkHttp interceptor
  • Configuration Properties: maven.central.auth.type, maven.central.auth.username, maven.central.auth.password, maven.central.auth.token
  • Native Image Support: Auth config fully compatible with GraalVM native images
  • Spring Configuration Metadata: IDE autocomplete for all new auth properties

Usage

# Bearer auth (JFrog, GitHub Packages)
docker run -i --rm \
  -e MAVEN_CENTRAL_REPOSITORY_BASE_URL=https://maven.pkg.github.com/your-org/your-repo \
  -e MAVEN_CENTRAL_AUTH_TYPE=bearer \
  -e MAVEN_CENTRAL_AUTH_TOKEN=your-token \
  arvindand/maven-tools-mcp:latest

# Basic auth (Nexus, Artifactory)
docker run -i --rm \
  -e MAVEN_CENTRAL_REPOSITORY_BASE_URL=https://nexus.internal.corp/repository/maven/ \
  -e MAVEN_CENTRAL_AUTH_TYPE=basic \
  -e MAVEN_CENTRAL_AUTH_USERNAME=admin \
  -e MAVEN_CENTRAL_AUTH_PASSWORD=secret \
  arvindand/maven-tools-mcp:latest

Any repository that serves standard maven-metadata.xml files is supported.

Full Changelog: https://github.com/arvindand/maven-tools-mcp/compare/v2.0.7...v2.1.0

View release on GitHub
v2.0.6 Bug fix
⚠ Upgrade required
  • MCP SDK pinned at version 0.17.2 and Logback pinned at version 1.5.22 remain required workarounds.
  • Spring AI 1.1.3 manages MCP SDK 0.17.0; the build still needs MCP SDK >= 0.17.2.
  • Logback 1.5.32 (latest) continues to cause stdout pollution in native stdio images; expected resolution with Spring AI 2.0.0 GA (~2‑3 months).
Full changelog

Dependency Update & Dogfood Agent Fix Release - Upgrades Spring AI and Spring Boot to latest stable, fixes three weeks of dogfood agent CI failures, and migrates to Copilot SDK 0.2.0 API.

Changed (2.0.6)

  • Spring AI: Upgraded from 1.1.2 to 1.1.3 (latest stable)
  • Spring Boot: Upgraded from 3.5.11 to 3.5.12 (patch)
  • maven-artifact: Upgraded from 3.9.12 to 3.9.14 (patch)
  • Resilience4j: Upgraded from 2.3.0 to 2.4.0 (minor)
  • Copilot SDK: Migrated agent to SDK 0.2.0 API (dataclass configs, PermissionHandler.approve_all)
  • Workaround Documentation: Improved pom.xml comments with clear "remove when" conditions for MCP SDK and Logback temporary overrides

Fixed (2.0.6)

  • Dogfood Agent CI Failures: The Copilot backend now requires explicit permission handling for MCP tool calls. Migrated to SDK 0.2.0 which uses PermissionHandler.approve_all and the new dataclass-based API (SubprocessConfig, keyword-arg create_session)

Notes (2.0.6)

  • Workaround status review: MCP SDK 0.17.2 pin and Logback 1.5.22 pin still required. Spring AI 1.1.3 manages MCP SDK 0.17.0 (need >= 0.17.2). Logback 1.5.32 (latest) still has stdout pollution in native stdio images. Both workarounds expected to resolve with Spring AI 2.0.0 GA (~2-3 months)
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
25
Forks
7
Languages
Java Python Shell
View on GitHub Homepage Documentation

Install & Platforms

Install via
docker

Similar tools

pzalutski-pixel/javalens-mcp
artmann/package-registry-mcp
PhpCodeArcheology/PhpCodeArcheology
augmnt/augments-mcp-server
sgx-labs/statelessagent

Beta — feedback welcome: [email protected]