search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.94k stars 40.64k forks source link

`spring-boot-starter-remote-shell` should not depend (transitively) on groovy-all 1.8.9 #2257

Closed ceefour closed 9 years ago

ceefour commented 9 years ago

Since spring-boot-starter-remote-shell already depends on groovy 2.3.8, shouldn't it exclude groovy-all 1.8.9 ?

+--- org.springframework.boot:spring-boot-starter-remote-shell: -> 1.2.0.RELEASE
|    +--- org.springframework.boot:spring-boot-starter:1.2.0.RELEASE (*)
|    +--- org.springframework.boot:spring-boot-starter-actuator:1.2.0.RELEASE (*)
|    +--- org.springframework:spring-core:4.1.3.RELEASE
|    +--- org.springframework:spring-context:4.1.3.RELEASE (*)
|    +--- org.crashub:crash.cli:1.3.0
|    +--- org.crashub:crash.connectors.ssh:1.3.0
|    |    +--- org.crashub:crash.shell:1.3.0
|    |    |    +--- org.crashub:crash.cli:1.3.0
|    |    |    \--- org.codehaus.groovy:groovy-all:1.8.9
|    |    +--- org.apache.sshd:sshd-core:0.11.0
|    |    |    \--- org.apache.mina:mina-core:2.0.7
|    |    |         \--- org.slf4j:slf4j-api:1.6.6 -> 1.7.7
|    |    +--- org.apache.sshd:sshd-pam:0.11.0
|    |    |    +--- org.apache.sshd:sshd-core:0.11.0 (*)
|    |    |    \--- net.sf.jpam:jpam:1.1
|    |    +--- org.bouncycastle:bcprov-jdk15on:1.49
|    |    +--- org.bouncycastle:bcpkix-jdk15on:1.49
|    |    |    \--- org.bouncycastle:bcprov-jdk15on:1.49
|    |    \--- org.apache.mina:mina-core:2.0.7 (*)
|    +--- org.crashub:crash.embed.spring:1.3.0
|    |    +--- org.crashub:crash.shell:1.3.0 (*)
|    |    +--- org.springframework:spring-core:3.1.1.RELEASE -> 4.1.3.RELEASE
|    |    +--- org.springframework:spring-context:3.1.1.RELEASE -> 4.1.3.RELEASE (*)
|    |    \--- org.springframework:spring-beans:3.1.1.RELEASE -> 4.1.3.RELEASE (*)
|    +--- org.crashub:crash.plugins.cron:1.3.0
|    |    +--- org.crashub:crash.shell:1.3.0 (*)
|    |    \--- it.sauronsoftware.cron4j:cron4j:2.2.5
|    +--- org.crashub:crash.plugins.mail:1.3.0
|    |    +--- org.crashub:crash.shell:1.3.0 (*)
|    |    \--- javax.mail:mail:1.4
|    |         \--- javax.activation:activation:1.1
|    +--- org.crashub:crash.shell:1.3.0 (*)
|    \--- org.codehaus.groovy:groovy:2.3.8
philwebb commented 9 years ago

Weird. It should already be excluded https://github.com/spring-projects/spring-boot/blob/v1.2.0.RELEASE/spring-boot-starters/spring-boot-starter-remote-shell/pom.xml#L91-L96.

Are you actually seeing it appear in your final jar?

wilkinsona commented 9 years ago

Could this be due to Gradle's different handling of exclusions? That dependency tree output looks like Gradle's

ceefour commented 9 years ago

Indeed I'm using Gradle. But I haven't confirmed if this is indeed Gradle's intended behavior or a particular bug.

If it's Gradle's intended behavior then surely my project would have more wrong dependencies that just this one...

On Wed, Dec 31, 2014, 14:34 Andy Wilkinson notifications@github.com wrote:

Could this be due to Gradle's different handling of exclusions? That dependency tree output looks like Gradle's

— Reply to this email directly or view it on GitHub https://github.com/spring-projects/spring-boot/issues/2257#issuecomment-68428159 .

wilkinsona commented 9 years ago

Sadly, Gradle handle's exclusions differently to Maven even when it's processing a Maven pom.

In this case groovy-all is pulled in via org.crashub:crash.shell where we've excluded it. This is enough to prevent Maven from pulling in groovy-all when you depend on the remote shell starter. org.crashub:crash.shell is also pulled in as a transitive dependency of a number of other dependencies and Gradle requires each of these to also exclude groovy-all for it to actually be excluded.

The long-term fix for this is #2133.