Dependencies declared in a platform are excluded unless applyMavenExclusions is set to false

[PeterFokkinga]

This is similar / a continuation of issue #360 (which was closed as resolved) and #361 where we were asked for a minimal example that reproduces the problem remaining.

The following build.gradle works (using gradle 8.4)

plugins {
    id 'java'
    id 'io.spring.dependency-management' version '1.1.0'
}

repositories {
    mavenCentral()
    maven {
        url = uri("https://maven.pkg.github.com/PeterFokkinga/spring-dependency-issue")
    }
}

dependencies {
    implementation platform('nl.fokkinga:simple-bom:0.9')
}

But with dependency-management 1.1.1 / 1.1.2 and 1.1.3 the transient dependencies are not found:

This issue prevents us from updating Spring-boot in our projects to a version newer than 3.1.1

[wilkinsona]

Thanks for the report, @PeterFokkinga.

This issue prevents us from updating Spring-boot in our projects to a version newer than 3.1.1

That need not be the case. You can use Spring Boot 3.1.2 and later with 1.1.0 of the dependency management plugin. One way to do that is by forcing its version:

buildscript {
    configurations.classpath.resolutionStrategy {
        force 'io.spring.gradle:dependency-management-plugin:1.1.0'
    }
}

[wilkinsona]

@PeterFokkinga the sample doesn't work due to a 401 response:

401 Unauthorized: https://maven.pkg.github.com/PeterFokkinga/spring-dependency-issue/nl/fokkinga/simple-bom/0.9/simple-bom-0.9.pom

Edit: never mind, I can reproduce it by publishing the platform locally and referring to that.

[wilkinsona]

Another workaround:

dependencyManagement {
    applyMavenExclusions = false
}

[PeterFokkinga]

Thanks for the workarounds, I can confirm that we can use Spring-boot 3.1.4 in our projects with

plugins {
...
    id 'org.springframework.boot' version '3.1.4'
    id 'io.spring.dependency-management' version '1.1.3'
}
...
dependencyManagement {
    applyMavenExclusions = false
}
...

(or use 1.1.0 as long as applyMavenExclusions = false is provided)

[wilkinsona]

The minimal example now works with 1.1.4-SNAPSHOT. @PeterFokkinga it'd be great if you could give it a try in your real project and confirm the fix. You can use 1.1.4-SNAPSHOT by adding the following to settings.gradle:

pluginManagement {
    repositories {
        maven { url "https://repo.spring.io/plugins-snapshot" }
    }
}

[PeterFokkinga]

@wilkinsona 1.1.4-SNAPSHOT works partially. When I replace the workaround with 1.1.4-SNAPSHOT the project including tests compile, but the tests won't run with "java.lang.ClassNotFoundException: okio.Buffer"

Looking into it I see that the com.squareup.okio package is not in the list of dependencies when using 1.1.4-SNAPSHOT whereas it is when using the workaround. It comes from rather deep down, and by using a constraint (note that the okhttp3 package is in the dependencies when using 1.1.4-SNAPSHOT)

project
 +--- implementation platform('nl.rug.education:rug-bom-implementation:1.0.10')
           +--- api 'nl.rug.education:education-lib:1.6.29'
                     +--- api 'nl.rug.commons:rug-commons-brightspace:2.5.7'  
                                  constraints {
                                          implementation('com.squareup.okio:okio') {
                                              version {
                                                  require '3.6.0'
                                                  prefer 'latest.release'
                                                  reject '3.2.0'
                                              }
                                              because '3.2.0 as used by okhttp3 has known vulnerabilities'
                                          }
                                      }
                                      implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.11.0'

Hope this gives a clue.

[wilkinsona]

Thanks for trying the snapshot.

I think the latest part of the problem should now be fixed too. Please give the new snapshot a try (with --refresh-dependencies if necessary) and let me know if that's not the case.

[PeterFokkinga]

@wilkinsona the current 1.1.4-SNAPSHOT works perfectly!

[wilkinsona]

Great! Thanks for giving it a try, @PeterFokkinga.