0

Hello ladies and gentlemen,

the problem i have is that in my spring boot project snake yaml version 1.33 is still downloaded though I upgraded the snake yaml version to 2.0.

I deleted the .gradle/caches folder and built my project new.

Here is some information:

build.gradle:

plugins {
    id 'java-platform'
    id 'org.springframework.boot' version "3.1.1" apply false
    id 'io.spring.dependency-management' version '1.1.0'
    id "org.openapi.generator" version "6.6.0" apply false
    id 'com.gorylenko.gradle-git-properties' version '2.4.1' apply(false)
    id 'com.yupzip.wsdl2java' version '3.0.0' apply false
}

version = currentVersion

javaPlatform {
    allowDependencies()
}

allprojects {
    repositories {
        mavenLocal()
        maven {
            credentials {
                username = "${artifactoryUser}"
                password = "${artifactoryPassword}"
            }
            url "${artifactoryUrl}/XYZ-maven"
        }
    }
}

subprojects {
    // java language and source defaults
    apply plugin: "java-library"
    apply plugin: 'org.springframework.boot'
    apply plugin: 'io.spring.dependency-management'

    sourceCompatibility = 17
    targetCompatibility = 17
    compileJava.options.encoding = 'UTF-8'

    // jar target names
    version = "${currentVersion}"
    archivesBaseName = rootProject.getName() + it.path.replace(":", "-")

    compileJava.dependsOn(processResources)

    dependencyManagement {
        imports {
            mavenBom "org.springframework.cloud:spring-cloud-dependencies:2022.0.3"
            mavenBom "org.apache.cxf:cxf-bom:4.0.1"
        }
    }

    bootJar {
        enabled = 'application' == it.name
    }

    dependencies {
        // enable referencing dependencies for the gradle scopes
        implementation platform(rootProject)
        testCompileOnly platform(rootProject)
        annotationProcessor platform(rootProject)
        testAnnotationProcessor platform(rootProject)

        compileOnly "org.mapstruct:mapstruct:1.5.5.Final"
        compileOnly "org.projectlombok:lombok"

        compileOnly "org.springframework.boot:spring-boot-configuration-processor"

        testCompileOnly "org.projectlombok:lombok"
        testAnnotationProcessor "org.projectlombok:lombok"
        implementation 'org.projectlombok:lombok-mapstruct-binding:0.2.0'

        annotationProcessor "org.projectlombok:lombok"
        annotationProcessor "org.mapstruct:mapstruct-processor:1.5.5.Final"
        annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
        annotationProcessor "org.hibernate.validator:hibernate-validator-annotation-processor"

        api 'de.XYZ-framework-spring-3:23.4.11'
        api "org.springframework.boot:spring-boot-starter"
        api "org.springframework.boot:spring-boot-starter-json"
        api 'org.springframework.boot:spring-boot-starter-web'
        api "org.springframework.boot:spring-boot-starter-aop"
        api 'org.springframework.boot:spring-boot-starter-validation'
        api 'org.springframework.boot:spring-boot-starter-actuator'
        api 'org.springframework.boot:spring-boot-actuator-autoconfigure'

        api "org.springframework.cloud:spring-cloud-starter-config"

        // apache commons
        api 'org.apache.commons:commons-text:1.10.0'
        api 'org.apache.commons:commons-lang3'
        api 'org.apache.commons:commons-collections4'

        api "com.google.code.findbugs:jsr305:3.0.2"
        api 'org.springdoc:springdoc-openapi-ui:1.6.14'
        api "com.fasterxml.jackson.core:jackson-databind"

        api 'com.github.vandeseer:easytable:0.8.5'

        //
        // TESTING
        //

        // spring test without junit4
        testImplementation('org.springframework.boot:spring-boot-starter-test')
    }

    configurations.configureEach {
        resolutionStrategy.dependencySubstitution {
            substitute module('org.yaml:snakeyaml') using module('org.yaml:snakeyaml:2.0') withoutClassifier() because('version 1.33 is vulnerable')
        }
    }

    clean {
        delete "out"
        delete "bin"
    }

    // ide support
    apply plugin: 'idea'

    test {
        useJUnitPlatform()
    }

}

This a part of the dependency tree:

enter image description here

After deleting .gradle/caches and newly generating:

enter image description here

So the problem is that

org.springframework.boot:spring-boot-starter:3.1.1

and io.swagger.core.v3:swagger-core:2.2.7

have snake yaml version 1.33 as sub depdencies.

I already tried excluding it some way like:

dependencies {
// Exclude snakeyaml version 1.33 from swagger-core
api("io.swagger.core.v3:swagger-core:2.2.7") {
    exclude group: 'org.yaml', module: 'snakeyaml', version: '1.33'
}

// Exclude snakeyaml version 1.33 from spring-boot-starter
api("org.springframework.boot:spring-boot-starter:3.1.1") {
    exclude group: 'org.yaml', module: 'snakeyaml', version: '1.33'
}

but when deleting the .gradle/caches folder and building it all new it still downloads snake version 1.33.

Thank you in advance.

tdog
  • 27
  • 1
  • 5
  • Well yeah, the dependency tree in fact tells you that `snakeyaml` 1.3.3 is a dependency of `sprint-boot-starter-validation` 3.1.1 – Rogue Aug 30 '23 at 15:43
  • Yes, and of Swagger Code gen. The question is how i can prevent it from loading the sub dependency – tdog Aug 30 '23 at 19:18
  • You can force Gradle to use a specific version. Examples using `resolutionStrategy` can be found in various other SO question and elsewhere if you search for gradle force dependency version: https://stackoverflow.com/questions/28444016/how-can-i-force-gradle-to-set-the-same-version-for-two-dependencies You can also sometimes get away by importing the transitive and placing a `!` and the end of the version. You just have to make sure your change of version doesn't break the thing including it.. that is, 1.33 -> 2.0 is a breaking change in snakeyaml. Make sure your code doesn't break! – User51 Aug 31 '23 at 14:41

0 Answers0