Broken dependency management for org.springframework.security:spring-security-oauth2-client in 2.7.10 Parent POM

spring-projects / spring-boot

Spring Boot helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss.

https://spring.io/projects/spring-boot

Apache License 2.0

75.19k stars 40.69k forks source link

Broken dependency management for org.springframework.security:spring-security-oauth2-client in 2.7.10 Parent POM #34892

Closed philippn closed 1 year ago

philippn commented 1 year ago

Hi there,

I noticed after upgrading to Spring Boot 2.7.10, the jar file spring-security-oauth2-client-5.7.3.jar was still included, whereas the other Spring Security Jars were correctly resolved to 5.7.7.

This issue can easily be inspected when generating the effective POM for any project that has Spring Boot Starter Parent 2.7.10 as its parent.

The generated effective POM looks like this: effective-pom

Given the position in this effective POM, I suspect the bad version number has something to do with the old org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure above it.

Thanks in advance for looking into it and kind regards, Philipp

snicoll commented 1 year ago

@philippn unfortunately, sharing a screenshot is not helpful.

This issue can easily be inspected when generating the effective POM for any project that has Spring Boot Starter Parent 2.7.10 as its parent.

I am afraid it can't. The effective pom is correct and a maven project created from start.spring.io with Spring Boot 2.7.10 resolves org.springframework.security:spring-security-oauth2-client to 5.7.7 as expected.

If you want support, please share a minimal project that reproduces what you've described.

philippn commented 1 year ago

Hello @snicoll

Thanks for your quick reply. You are right, it wasn't happening with the plain example as I suspected. I beg your pardon.

In fact it seems to happen when importing the dependency management of Spring Cloud.

I have uploaded an example POM as a Gist: pom.xml

Hope that helps!

Thanks and kind regards, Philipp

snicoll commented 1 year ago

Thanks but a problem in Spring Cloud's dependency management should not be reported here. I did reproduce the problem and looked at the Spring Cloud org and couldn't manage to find out the root cause of the problem. I've also noticed that using 2021.0.7-SNAPSHOT does not exhibit the issue.

At this point, I can't justify spending more time on this. Feel free to report it to Spring Cloud: https://github.com/spring-cloud/spring-cloud-release

snicoll commented 1 year ago

I've managed to track it down. This is a duplicate of https://github.com/spring-cloud/spring-cloud-openfeign/issues/786