SpringBoot spring-boot-starter-tomcat has fixed dependency versions

Spring-boot-starter-tomcat has fixed dependency versions for Tomcat dependencies without taking tomcat.version into account. This makes it impossible to simply override the version of the Tomcat dependencies by setting the property in our POM file.

Tested it with Spring Boot 2.1.9.RELEASE.

    <dependency>
      <groupId>org.apache.tomcat.embed</groupId>
      <artifactId>tomcat-embed-core</artifactId>
      <version>9.0.26</version>
      <scope>compile</scope>
      <exclusions>
        <exclusion>
          <artifactId>tomcat-annotations-api</artifactId>
          <groupId>org.apache.tomcat</groupId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.apache.tomcat.embed</groupId>
      <artifactId>tomcat-embed-el</artifactId>
      <version>9.0.26</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.tomcat.embed</groupId>
      <artifactId>tomcat-embed-websocket</artifactId>
      <version>9.0.26</version>
      <scope>compile</scope>
    </dependency>

Comment From: wilkinsona

For the version properties to be effective, you must use spring-boot-starter-parent as your project’s parent. Please see the relevant section of the documentation for further details.

Comment From: softKarma

Will using required tomcat starter with Import scope at the top of the dependencyManagement tag work to override the embedded tomcat server in case the parent pom is a corporate parent? Instructions to follow as mentioned here : https://docs.spring.io/spring-boot/docs/2.3.2.RELEASE/maven-plugin/reference/html/#using-import Question on stackoverflow : https://stackoverflow.com/q/63110403/1711670