search

spring-projects-experimental / spring-boot-thin-launcher

Tools for building "thin" executable jars, with a focus on, but not exclusively for, Spring Boot
https://github.com/dsyer/spring-boot-thin-launcher
Apache License 2.0
681 stars 90 forks source link

Wrong dependencies downloaded when used flatten plugin. #144

Closed belkevglaz closed 4 years ago

belkevglaz commented 4 years ago

Hi @dsyer I faced with weird situation when thin jar downloaded different versions of dependencies with flatten-maven-plugin. For show, I prepared simple multi-module project https://github.com/belkevglaz/springboot-thin-issue-app. The script in this project checks downloaded .m2 repositories in both cases: with flatten pom and no. The output shows difference with spring-security-config. Thin jar no flatten run and search : find ./.m2-noflat/ -name "spring-security-config*" Result: ./.m2-noflat/repository/org/springframework/security/spring-security-config/5.2.0.RELEASE/spring-security-config-5.2.0.RELEASE.jar

Thin jar with flatten run : find ./.m2-flat/ -name "spring-security-config* Result : ./.m2-flat/repository/org/springframework/security/spring-security-config/3.2.10.RELEASE/spring-security-config-3.2.10.RELEASE.jar

And finally, fat jar with flatten too : unzip -l ./service-module/target/service-module-fat.jar | grep "spring-security-config*" Result: 858512 2019-09-30 21:28 BOOT-INF/lib/spring-security-config-5.2.0.RELEASE.jar

At the same time in output mvn dependency:tree there are no any mentions about wrong (3.2) library version. What's wrong ? Thanks

dsyer commented 4 years ago

What version of the thin launcher are you using?

belkevglaz commented 4 years ago

What version of the thin launcher are you using?

1.0.24.RELEASE

dsyer commented 4 years ago

How about trying 1.0.25? I think one of the bug fixes for the last release is probably relevant.

belkevglaz commented 4 years ago

Updated to 1.0.25.RELEASE. Unfortunately, no effect. Wrong dep version still downloaded.

dsyer commented 4 years ago

Thanks for the sample. I wonder why you need the flatten plugin in your app? The problem is that when you use that, it erases the parent and dependency management information, so you can't really expect it to be resolvable when you run the jar. If you only use the flatten plugin in your libraries (not your executables) it will keep the dependency management information. Alternatively you can put the dependency management information in a META-INF/thin.properties in your app, e.g. 

boms.spring-boot=org.springframework.boot:spring-boot-dependencies:2.2.0.RELEASE