Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Projects using Maven and spring-security-oauth2-client end up with a downgraded version of json-smart that isn't compatible with the managed version of json-path #21939

Closed
ninjacoda opened this issue Jun 16, 2020 · 2 comments
Assignees
Labels
type: bug A general bug
Milestone

Comments

@ninjacoda
Copy link

There is a clash over the transitive dependency on json-smart between spring-security-oauth2-client:5.3.3 and spring-boot-starter-test:2.3.1. The issue was addressed in spring-security-oauth2-client, but spring-boot-dependencies is still causing this to clash.

As this is now an issue with the dependency declaration in spring-boot-dependencies, and because the corresponding ticket has already been closed in spring-security, I'll reopen it here with updated Spring version numbers. (Not sure which ticket queue it should be on.)

Full details are here: spring-projects/spring-security#8608 (comment)

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.3.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile (version managed from 7.5)
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile

Version 1.3.1 doesn't seem to support JSON Path (sufficiently).
Version 2.3 isn't pulled in because of spring-boot-dependenciesimporting an older version of com.nimbusds:oauth2-oidc-sdk:

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.1.RELEASE:test
[INFO] |  +- (org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:test - omitted for duplicate)
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)

Can com.nimbusds:oauth2-oidc-sdk be updated to 7.5 (or 7.+, as in spring-security-oauth2-client)?

		management "com.nimbusds:nimbus-jose-jwt:8.+"
		management "com.nimbusds:oauth2-oidc-sdk:7.+" 
@ninjacoda
Copy link
Author

NB: Declaring dependency management in my own POM lets me work around the issue - but it seems that two Spring projects shouldn't really quarrel over their dependencies like this... 😇

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>net.minidev</groupId>
        <artifactId>json-smart</artifactId>
        <version>[2.3,3.0)</version>
      </dependency>
    </dependencies>
  </dependencyManagement>

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 16, 2020
@ninjacoda ninjacoda changed the title spring-security-oauth2-client:5.3.3 and spring-boot-starter-test:2.3.1 clash over version of transitive dependency json-smart spring-security-oauth2-client:5.3.3 and spring-boot-starter-test:2.3.1 clash over version of transitive dependency json-smart due to spring-boot-dependencies Jun 16, 2020
@wilkinsona
Copy link
Member

wilkinsona commented Jun 16, 2020

Thanks for the report. We won't move to a new minor version of a dependency in a maintenance release of Spring Boot so upgrading to oauth2-oidc-sdk 7.5 isn't an option until Boot 2.4. While Spring Security now uses oauth2-oidc-sdk 7.5 by default, it remains compatible with 7.1 so there isn't a "quarrel" here.

The problem's really due to Maven's version conflict resolution. When faced with multiple different versions of a dependency, it resolves the conflict by selecting the version that's nearest to the root of the dependency graph. In this case that is 1.3.1. If you were using Gradle you would not see the problem as it resolves version conflicts by selecting the latest version so you'd end up with 2.3.

We can consider adding some dependency management for json-smart. We've done similar in the past for transitive dependencies to help Maven to do the right thing. In the meantime, adding your own dependency management as you have shown above is a good solution.

@wilkinsona wilkinsona changed the title spring-security-oauth2-client:5.3.3 and spring-boot-starter-test:2.3.1 clash over version of transitive dependency json-smart due to spring-boot-dependencies Projects using Maven and spring-security-oauth2-client end up with a downgraded version of json-smart that isn't compatible with the managed version of json-path Jun 16, 2020
@wilkinsona wilkinsona added for: team-attention An issue we'd like other members of the team to review type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 16, 2020
@wilkinsona wilkinsona added this to the 2.3.x milestone Jun 16, 2020
fdlk added a commit to fdlk/molgenis-service-armadillo that referenced this issue Jun 17, 2020
fdlk added a commit to fdlk/molgenis-service-armadillo that referenced this issue Jun 17, 2020
fdlk added a commit to fdlk/molgenis-service-armadillo that referenced this issue Jun 17, 2020
@wilkinsona wilkinsona removed the for: team-attention An issue we'd like other members of the team to review label Jun 17, 2020
@wilkinsona wilkinsona self-assigned this Jun 18, 2020
@wilkinsona wilkinsona modified the milestones: 2.3.x, 2.3.2 Jun 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants