0

I am using Maven to set up dependency in my app.

I am using Spring Boot v2.1.12.RELEASE which brings in Spring Core v5.1.13.

But there also a library Spring Integration v5.1.9 (which is latest) and brings Spring Core v5.1.11.RELEASE

As you can see that I want Spring Integration to not resolve to v5.1.11 of Spring Core as it has some vulnerabilities.

Is there any way to specify in POM for Spring Integration to resolve to 5.1.13 of Spring Core (instead of 5.1.11) ?

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>2.1.12.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.integration</groupId>
        <artifactId>spring-integration-core</artifactId>
        <version>5.1.9</version>
    </dependency>

P.S I do not want to upgrade to the latest release of Spring Boot.

Alexander
  • 2,925
  • 3
  • 33
  • 36
Suvojit
  • 379
  • 1
  • 7
  • 22
  • technically you can of course upgrade and simply add this dependency to your pom file and update the version but I strongly discourage to do so cause this implies some other dependencies (transitive). I recommend to upgrade your spring-boot version to most recent ones 2.2.4.RELEASE... – khmarbaise Feb 03 '20 at 11:40
  • 1
    If it resolves to 5.1.11 you are doing something wrong in your pom. Spring Boot manages the dependencies. In other words, please post your `pom.xml`. – M. Deinum Feb 03 '20 at 11:40
  • @M.Deinum: Added the POm snapshot – Suvojit Feb 03 '20 at 12:26
  • You should import the spring-boot-dependencies or define Spring Boot as the parent (as described [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-spring-boot.html#using-boot-maven)). remove the version tag for spring integration. – M. Deinum Feb 03 '20 at 13:22

2 Answers2

1

Use maven exclusion tag to exclude the transitive dependency, make sure the excluded library is directly added to pom or it's pulled in by some other dependency.

<dependency>
   <groupId>org.springframework.integration</groupId>
   <artifactId>spring-integration-core</artifactId>
   <version>5.1.9</version>
   <exclusions>
      <exclusion>
         <groupId>org.springframework</groupId>
         <artifactId>spring-core</artifactId>
         <version>5.1.11.RELEASE</version>
      </exclusion>
   </exclusions>
</dependency>

DISCLAIMER: This is just a work around solution for your immediate need, use it only when no other options are possible as managing spring managed dependencies ourself is not maintainable in long run.

Satish
  • 1,037
  • 1
  • 13
  • 20
  • 1
    If you start doing this in a spring boot app you are doing wrongly (especially when it comes to Spring boot managed dependencies). – M. Deinum Feb 03 '20 at 13:23
  • @M.Deinum i agree with you. Spring managed dependency we should not start managing, that defeats the purpose and it's harder to maintain in long run. Yet, if a user decides to go for it as a last resort to get around his limitations due to any reason, then there is a way and that's what i tried to convey by my answer. – Satish Feb 03 '20 at 14:00
  • @M.Deinum added a disclaimer to my answer. thanks for pointing this out. – Satish Feb 03 '20 at 14:07
0

I used the recommendation in the post Dependency Management to overcome my challenge.

So I excluded the spring-core dependency from spring integration and also added the spring core library using below code

 <dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>5.1.13.RELEASE</version>
        </dependency>
    </dependencies>
</dependencyManagement>
Suvojit
  • 379
  • 1
  • 7
  • 22
  • The fact that you need this is a clear indication that your pom has issues. – M. Deinum Feb 03 '20 at 14:09
  • Yes, it could be because, someone who designed the POM, has not included spring-boot-starter-parent, which is little annoying. – Suvojit Feb 11 '20 at 09:04