-
Notifications
You must be signed in to change notification settings - Fork 40.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Projects using Maven and spring-security-oauth2-client end up with a downgraded version of json-smart that isn't compatible with the managed version of json-path #21939
Comments
NB: Declaring dependency management in my own POM lets me work around the issue - but it seems that two Spring projects shouldn't really quarrel over their dependencies like this... 😇
|
Thanks for the report. We won't move to a new minor version of a dependency in a maintenance release of Spring Boot so upgrading to The problem's really due to Maven's version conflict resolution. When faced with multiple different versions of a dependency, it resolves the conflict by selecting the version that's nearest to the root of the dependency graph. In this case that is 1.3.1. If you were using Gradle you would not see the problem as it resolves version conflicts by selecting the latest version so you'd end up with 2.3. We can consider adding some dependency management for |
There is a clash over the transitive dependency on
json-smart
betweenspring-security-oauth2-client:5.3.3
andspring-boot-starter-test:2.3.1
. The issue was addressed inspring-security-oauth2-client
, butspring-boot-dependencies
is still causing this to clash.As this is now an issue with the dependency declaration in
spring-boot-dependencies
, and because the corresponding ticket has already been closed inspring-security
, I'll reopen it here with updated Spring version numbers. (Not sure which ticket queue it should be on.)Full details are here: spring-projects/spring-security#8608 (comment)
Version 1.3.1 doesn't seem to support JSON Path (sufficiently).
Version 2.3 isn't pulled in because of
spring-boot-dependencies
importing an older version ofcom.nimbusds:oauth2-oidc-sdk
:Can
com.nimbusds:oauth2-oidc-sdk
be updated to7.5
(or7.+
, as inspring-security-oauth2-client
)?The text was updated successfully, but these errors were encountered: