How can I exclude a shadowJar during a Maven build?
Question
I'm using spring-cloud-cloudfoundry-connector-2.0.7.RELEASE.jar in a project, which is built with the com.fasterxml.jackson.core:jackson-databind:2.10.0 files as a shadow JAR (ie the files are included within the spring-cloud-cloudfoundry-connector JAR rather than just being a dependency.
The problem is, jackson-databind 2.10.0 now has known security problems but there is no later version of the Spring library with patched Jackson files. So, what I need to do is use the existing Spring library but newer Jackson libraries. If it were a normal dependency it would be easy enough, but obviously the files can't be removed from the Spring library.
So, it there any way of forcing Maven to ignore the embedded Jackson classes and only use the newer Jackson library (which is already included in my main project).
The Gradle build file (and the rest of the Spring project) can be found here: https://github.com/spring-cloud/spring-cloud-connectors/blob/master/spring-cloud-cloudfoundry-connector/build.gradle
1 answers
solution1
1 2021-04-20 14:03:16
You can construct your own patched version of the JAR by manually removing the jackson-databind files. Then you can use a new version number like 2.0.7.RELEASE-patched .
Put this into your Nexus/Artifactory, or otherwise the local repository.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.