Skip to content

Library Cleanup & Consolidation: Remove 8-10 Unused Dependencies and Consolidate Duplicates #2138

Closed
Maintenance
#2240
Closed
Library Cleanup & Consolidation: Remove 8-10 Unused Dependencies and Consolidate Duplicates#2138
Maintenance
#2240
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 27, 2026

Library Cleanup & Consolidation Analysis

Analysis Date: 2026-01-27
Scope: All dependencies in pom.xml (~200 libraries)
Methodology: Comprehensive codebase scan for import statements and usage patterns

Executive Summary

This analysis identifies 8-10 unused libraries ready for removal, 3 critical consolidation opportunities, and several outdated libraries requiring migration. Implementing these recommendations will:

  • Reduce JAR size: ~250KB+ from unused dependencies
  • Simplify maintenance: Fewer libraries to track for security vulnerabilities
  • Improve consistency: Consolidate on fewer, more modern libraries
  • Reduce attack surface: Fewer dependencies = fewer CVE exposure points

Estimated Effort: 2-4 weeks across multiple PRs (phased approach recommended)

TIER 1: Safe to Remove (0 Active References)

These libraries have zero usage in the codebase and can be removed immediately with no code changes required.

1. ✅ Gson (com.google.code.gson) - 2.10.1

  • Files using it: 0
  • Status: Declared in pom.xml but no imports found
  • Replacement: Jackson is the standard JSON library (115 files using it)
  • Action: Remove from pom.xml
  • Risk: None

2. ✅ Ostermiller Utils (com.ostermiller:ostermillerutils) - 1.4.3

  • Files using it: 0
  • Status: Explicitly marked for removal in pom.xml comment
  • Comment: "we need to stop using this and replace it with apache commons"
  • Reference: PR 379 cleanup pom #386 for removal guidance
  • Action: Remove from pom.xml
  • Risk: None

3. ✅ Janino (janino:janino) - 2.3.2

  • Files using it: 0 (no direct usage found)
  • Status: pom.xml comment says "caused 404 error after removing"
  • Note: May be transitive dependency for JasperReports runtime compilation
  • Action: Investigate transitive dependency tree; remove if not needed by JasperReports
  • Risk: Low (verify JasperReports still compiles reports)

4. ✅ JCharts (jcharts:jcharts) - 0.7.5

  • Files using it: 0
  • Status: Dead project (last release 2006)
  • Replacement: JFreeChart 1.5.4 is actively used (2 files)
  • Action: Remove from pom.xml
  • Risk: None

5. ✅ TagSoup (org.ccil.cowan.tagsoup:tagsoup) - 1.2.1

  • Files using it: 0
  • Status: HTML parser library with no active usage
  • Replacement: JSoup 1.17.2 is the modern alternative (4 files using it)
  • Action: Remove from pom.xml
  • Risk: None

6. ✅ Jersey Client (org.glassfish.jersey.core:jersey-client) - 2.47

  • Files using it: 0
  • Status: Declared "for axis2 1.8.2" but with explicit exclusions
  • Note: Apache HttpComponents 4.5.14 is the primary HTTP client (23 files)
  • Action: Remove from pom.xml
  • Risk: None

7. ✅ Apache Velocity 1.7 (org.apache.velocity:velocity) - DUPLICATE VERSION

  • Files using it: 0 (all usage is via velocity-engine-core 2.4.1)
  • Status: EOL since 2010; replaced by velocity-engine-core 2.4.1 (5 files)
  • Action: Remove velocity 1.7, keep velocity-engine-core 2.4.1
  • Risk: None

TIER 2: Low Usage - Migrate/Remove (< 5 Files)

These libraries have minimal usage and should be migrated to modern alternatives or removed.

1. ⚠️ Apache XML-RPC (xmlrpc:xmlrpc) - 1.2-b1

  • Files using it: 4
    • RxDrugRef.java (drug reference lookups)
    • TimingOutCallback.java
    • FrmSetupForm2Action.java
    • FrmForm2Action.java
  • Status: Pre-release version from 2003 (20+ years old!)
  • Issue: XML-RPC protocol is legacy; REST is modern standard
  • Recommendation: Migrate to REST API or GraphQL
  • Effort: Medium (requires external service API changes)
  • Risk: Medium (depends on external DrugRef service)

2. ⚠️ ZXing (zxing:zxing-core, zxing-j2se) - 1.5

  • Files using it: 3
    • PrescriptionQrCodeUIBean.java (prescription QR codes)
    • QrCodeUtils.java (utility class)
    • MfaManagerImpl.java (MFA QR codes)
  • Status: Functional but outdated (latest: 3.5.x)
  • Purpose: QR code generation for prescriptions and MFA
  • Recommendation: Keep but consider upgrading to 3.5.x
  • Effort: Low (API likely compatible)
  • Risk: Low (isolated functionality)

3. ⚠️ Commons Digester (commons-digester:commons-digester) - 1.8

  • Files using it: 3
    • EctFindMeasurementTypeUtil.java (XML config parsing)
    • EFormLoader.java (e-form configuration)
    • UCRConfigurationManager.java (custom reports)
  • Status: Legacy XML processing library
  • Replacement: JDOM2 (already used in 28 files) or standard javax.xml
  • Recommendation: Migrate to JDOM2 for consistency
  • Effort: Low to Medium (rewrite XML parsing)
  • Risk: Low (well-defined scope)

4. ⚠️ JTidy (com.github.jtidy:jtidy) - 1.0.5

  • Files using it: 1
    • Doc2PDF.java (HTML cleaning for PDF generation)
  • Status: Unmaintained fork; last update 2019
  • Replacement: JSoup 1.17.2 (already used in 4 files)
  • Recommendation: Migrate to JSoup for HTML parsing/cleaning
  • Effort: Low (single file change)
  • Risk: Low (JSoup is actively maintained)

5. ⚠️ Xerces (xerces:xercesImpl) - 2.12.2

  • Files using it: 1
    • JDBCUtil.java (XML parsing for JDBC config)
  • Status: Low usage; standard Java XML libraries sufficient
  • Replacement: javax.xml.parsers (built-in)
  • Recommendation: Remove dependency, use standard Java XML
  • Effort: Low (single file change)
  • Risk: Low (standard Java APIs)

TIER 3: Critical Consolidation Opportunities

These require code changes but will significantly improve consistency.

1. 🔄 Jettison (org.codehaus.jettison:jettison) - 1.5.4

  • Files using it: 10 (7 Java + 1 JSP + generated)
    • Scratch2Action.java
    • ClinicalConnectViewer2Action.java
    • HRM2Action.java
    • EctDisplayEHR2Action.java
    • ImportDemographicDataAction42Action.java
    • JSONAction.java
    • dhirSubmission.jsp
  • Status: Legacy JSON library; pom.xml explicitly excludes it from CXF
  • Replacement: Jackson 2.19.2 (already used in 115 files)
  • Comment in pom.xml: "Switched from Jettison to Jackson for JSON handling in CXF JAX-RS providers"
  • Recommendation: Complete migration from Jettison to Jackson
  • Effort: Medium (10 files to refactor)
  • Risk: Low (Jackson is more robust and actively maintained)

2. 🔄 Display Tag (displaytag:displaytag) - 1.2

  • Files using it: 13 (2 Java + 11 JSP)
    • BillCodesTableWrapper.java
    • attachClient.jsp
    • Multiple other JSP files
  • Status: Unmaintained since 2012; excludes vulnerable iText 1.3
  • pom.xml comment: "only used in 1 deprecated feature" (INCORRECT - used in 13 files)
  • Replacement: Modern JavaScript table libraries (DataTables, AG Grid) or server-side pagination
  • Recommendation: Plan migration to modern table rendering
  • Effort: High (requires JSP refactoring and UI redesign)
  • Risk: Medium (affects user-facing tables)

3. 🔄 Velocity - Multiple Versions

  • velocity 1.7: EOL since 2010 - REMOVE
  • velocity-engine-core 2.4.1: Current - KEEP
  • velocity-tools-generic 3.1: Tools library - KEEP
  • Files using Velocity: 5
    • WaitListManager.java
    • VelocityUtils.java
    • Renal2Action.java
    • BillingFormData.java
    • Test file: WaitListManagerTest.java
  • Action: Remove velocity 1.7, consolidate on velocity-engine-core 2.4.1
  • Effort: None (already using 2.4.1)
  • Risk: None

TIER 4: Keep But Monitor

These libraries are actively used but have concerns.

1. 📊 Drools (drools:drools-all) - 2.0 (from 2005)

  • Files using it: 17
  • Status: Active usage but extremely outdated (released 2005, 20 years old!)
  • Used in:
    • Decision support system
    • Prevention guidelines
    • Clinical reports
    • Measurement flowsheets
    • Workflow engine
  • Current Version: Drools 9.x (KIE/jBPM)
  • Recommendation: Plan upgrade to modern Drools (major breaking changes expected)
  • Effort: High (API changes in 2.x → 9.x)
  • Risk: High (core business logic)

2. 📊 XML Processing Libraries - Consolidation Needed

Multiple XML libraries with overlapping functionality:

XMLBeans (org.apache.xmlbeans:xmlbeans) - 3.1.0

  • Files using it: 105 (mostly generated)
  • Status: Core library for schema-based XML (AR2005, CKD, CIHI, HRM)
  • Recommendation: Keep (too deeply integrated)

JDOM2 (org.jdom:jdom2) - 2.0.6.1

  • Files using it: 28
  • Status: Active usage (Drools, measurements, labs, prevention)
  • Recommendation: Keep (standard XML processing)

DOM4J (org.dom4j:dom4j) - MISSING FROM POM.XML!

  • Files using it: 1 (ManageDashboard2Action.java)
  • Status: Imported but not declared in pom.xml (transitive dependency)
  • Issue: Hidden dependency; should be explicit
  • Recommendation: Either add to pom.xml OR migrate to JDOM2

Recommended Implementation Plan

Phase 1: Safe Removals (Week 1)

PR #1: Remove unused libraries (Tier 1)

  • Remove Gson
  • Remove Ostermiller Utils
  • Remove JCharts
  • Remove TagSoup
  • Remove Jersey Client
  • Remove Velocity 1.7
  • Investigate Janino (verify JasperReports)

Effort: 1-2 hours
Risk: None
Testing: Full build + smoke tests

Phase 2: Low-Hanging Fruit (Week 2)

PR #2: Migrate single-file dependencies

  • Migrate JTidy (1 file) to JSoup
  • Migrate Xerces (1 file) to standard Java XML
  • Upgrade ZXing 1.5 → 3.5.x (3 files)

Effort: 4-8 hours
Risk: Low
Testing: PDF generation, JDBC config, QR code generation

Phase 3: Consolidation (Weeks 3-4)

PR #3: Jettison to Jackson migration

  • Migrate 7 Java files from Jettison to Jackson
  • Migrate 1 JSP file
  • Update CXF configuration
  • Remove Jettison dependency

Effort: 1-2 days
Risk: Low to Medium
Testing: All REST APIs, JSON endpoints

PR #4: Commons Digester to JDOM2

  • Migrate 3 files to JDOM2
  • Remove Commons Digester

Effort: 1 day
Risk: Low
Testing: Measurements, e-forms, custom reports

Phase 4: Long-Term Planning

Future Work (separate epics):

  1. Display Tag Replacement: Plan modern table library migration (high effort)
  2. Drools Upgrade: 2.0 → 9.x (very high effort, breaking changes)
  3. XML-RPC to REST: Migrate DrugRef integration (depends on external service)

Testing Checklist

After each phase:

  • Build: Clean build succeeds (make clean && make install --run-tests)
  • Unit Tests: All tests pass
  • Integration Tests: Core workflows function
  • Smoke Tests:
    • Patient demographics CRUD
    • Prescription creation (QR codes in Phase 2)
    • Lab results viewing
    • Document generation (PDF/RTF in Phase 2)
    • REST API endpoints (Phase 3)
    • E-forms (Phase 3)

Dependency Analysis Commands

To verify library usage before removal:

# Search for imports
grep -r "import com.google.gson" src/

# Search for class usage
grep -r "Gson" src/ --include="*.java"

# Check Maven dependency tree
mvn dependency:tree -Dincludes=com.google.code.gson:gson

# Analyze unused dependencies
mvn dependency:analyze

Security Benefits

Removing unused libraries reduces:

  1. CVE Exposure: Fewer dependencies = fewer security vulnerabilities to track
  2. Attack Surface: Less code = fewer potential exploit vectors
  3. Maintenance Burden: Fewer libraries to update during security patches

Example: Removing Ostermiller Utils, Janino, JCharts, TagSoup, Jersey Client, Gson, Velocity 1.7 = ~250KB+ JAR reduction + 7 fewer libraries to monitor

References

Analysis Generated: 2026-01-27
Related Issues: #2136 (dependency updates)
Priority: Medium (technical debt reduction)
Labels: type: maintenance, priority: medium, dependencies, technical-debt, good first issue (Phase 1)

Generated by @claude - comprehensive library usage analysis for OpenO EMR

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Maintenance

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions