stackoom
  简体   繁体   中英

safely overriding spring-boot dependency version

 原文  2021-06-21 12:57:31       java/ spring/ spring-boot/ spring-security/ dependency-management

Question

I am using spring-boot 2.1.18.RELEASE.

We need to upgrade Spring security to 5.2+. Doing so led to errors of the like: NoClassDefFound so I started manually upgrading other libraries along the way, solving and finding other issues. For example, I had to upgrade one dependency (spring-security-web), which led to:

java.lang.NoClassDefFoundError: org/springframework/core/log/LogMessage

My question: how to know if upgrading one specific spring dependency is safe?

Is there any minimal requirements info for each dependency? For example: spring-security-web 5.2.10.RELEASE requires spring-core 5.2.0+

1 answers

solution1
 1  2021-06-21 23:11:40

Generally speaking, all spring security dependencies should match the same version as they are managed together. So spring-security-web-5.2.10.RELEASE needs to match spring-security-core-5.2.10.RELEASE . But those dependencies are typically managed transitively, so whichever spring-security dependencies you explicitly depend on should have the same version, and any others (transitive dependencies) should not have versions declared in your build.

As far as something like spring-security-web depending on spring-core , there is no explicit guarantee made for any version since it is a separate project. But again, spring-core is a transitive dependency and shouldn't require specifying a version. Both projects (Spring Framework, Spring Security) use semver versioning and follow a release train, so the general rule of thumb is aligning on the minor version. Therefore, spring-security-web-5.2.10.RELEASE needs to match spring-core of 5.2.x.

Finally, if you're stuck maintaining an older Spring Boot app and can't upgrade, you should stick within the minor release of all the dependencies your project is compatible with. For example, trying to upgrade from spring-security 5.1 to 5.2+ for only some dependencies without upgrading Spring Boot may cause issues. Best to upgrade the entire ecosystem of spring projects at once using Spring Boot. Until then, you can pick up security patches without major upgrades as they are maintained for quite some time. In your case, upgrading to 5.2, you really need to look at upgrading Spring Boot to 2.2 to get the latest security patches for Spring Security.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get spring-boot dependency version in gradle? How define the dependency injections in spring-boot? Add dependency with spring-boot 1.2.5 Spring-Boot Maven, missing dependency @RestController Overriding spring-boot application properties when deploying in JBoss How to add a spring-boot jar as a dependency in a new spring-boot project without changing the original pom How to build a library around spring-boot that doesn't enforce a certain spring-boot version? spring-boot gradle plugin messes ivy dependency configuration? Spring-Boot Cannot Add Google Guava Dependency Error creating bean in dependency injection with spring-boot
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM