-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spring-security-oauth2-client:5.3.2 and spring-boot-starter-test:2.3.0 clash over version of transitive dependency json-smart #8608
Comments
I did a bit more digging, and it turns out that up to and including |
Thanks for all the digging you did here, @ninjacoda. After some of my own, I think it's best to simply upgrade the Nimbus dependencies, that way Spring Security doesn't add any additional managed dependencies to its list. In general, it's a bit easier to only manage the beans that Spring Security depends on directly. There's a bit of a related discussion going on in #8543 and #8564, so I think it'd be best to see how those conversations go before deciding precisely what versions of |
Fixed via 94737df |
Thanks, @jzheaux . Unfortunately,
still defines
and
in its dependency management, so this is still broken for JSON Path asserts:
and
I'm not sure this is the right project to report it to, though - or if this ticket will reopen. |
Thanks for this extra information, @ninjacoda, and sorry this is still a problem for you. You are correct that Spring Boot manages dependencies via |
Describe the bug
When trying to run an integration test the following error occurs:
This is due to a version clash on transitive dependency
net.minidev:json-smart
betweenspring-security-oauth2-client:5.3.2
andspring-boot-starter-test:2.3.0
.Here's the partial output from
I'm logging this against Spring Security, as moving from
com.nimbusds:oauth2-oidc-sdk:jar:7.1.1
tocom.nimbusds:oauth2-oidc-sdk:jar:8.4.2
would likely fix the issue, as that defines its dependency asnet.minidev:json-smart:[1.3.1,2.3]
As per maven docs, that would permit for
json-smart:2.3
being used:By the way: The dependency in
oauth2-oidc-sdk:jar:8.4.2
(i.e.[1.3.1,2.3]
) would indicate thatjson-smart
version2.3
might be backwards-compatible to version1.3.1
, but as this is a dependency of a security-related library I would rather not take the chance of just forcing the new version ofjson-smart
on oauth2-oidc-sdk
usingdependencyManagement
.To Reproduce
Using the following dependencies:
running this test:
Expected behavior
Provided the response contains the properties and values specified in the jsonPath, the test should run and pass, not fail due to a missing class.
The text was updated successfully, but these errors were encountered: