Software dependencies and their versions that are required in order to run the application must be specified explicitly. This includes not only dependencies which the application is programmed against, for example third-party APIs, but also implicit dependencies on the Java runtime or operating system, respectively. Explicitly specifying the required versions leads to far less compatibility issues in production. A composition of software versions is sufficiently tested during the development workflow. Dependency versions that differ when rebuilding binaries introduce potential issues. It is therefore advisable to explicitly declare all software versions to reduce probability of error and enable reproducibility.
Container technology simplifies this principle by explicitly specifying all software installation steps. Versions of used base images should be explicitly declared, so that image rebuilds result in the same result. The Docker latest tag should therefore be avoided in favor of definite versions. All software installations specified in Dockerfiles should point to explicit versions as well. Docker rebuilds, with or without cache, should produce the same outcome.
Java applications specify their dependencies using build systems. The first chapter already covered what is necessary to enable reproducible builds using both Maven and Gradle. In Java EE applications these dependencies are ideally minimized to the Java EE API.
Whenever possible, it's advisable to specify explicit dependency versions, not just latest ones. Only software using explicit versions can be tested reliably.
Isolating dependencies is a necessity for distributed development throughout the software team. Software artifacts should be accessible via well-defined processes, for example artifact repositories. Dependencies, which are added during the software build, no matter whether Java runtime installations, Java artifacts, or operating system components, need to be distributed from a central place. Repositories such as Maven Central, DockerHub or company-internal repositories enable this approach.