Spring Security spring-security-oauth2-client uses a range of net.minidev:json-smart that causes dependency resolution issues

spring-security-oauth2-client depends on net.minidev:json-smart:[1.3.3,2.4.7], which causes issues:

   > Could not resolve net.minidev:json-smart:[1.3.3,2.4.7].
     Required by:
         project :xxx > org.springframework.security:spring-security-oauth2-client:5.6.1 > com.nimbusds:oauth2-oidc-sdk:9.19
      > Failed to list versions for net.minidev:json-smart.
         > Unable to load Maven meta-data from https://plugins.gradle.org/m2/net/minidev/json-smart/maven-metadata.xml.
            > Could not HEAD 'https://repo.gradle.org/artifactory/jcenter/net/minidev/json-smart/maven-metadata.xml'.
               > Read timed out

Is it possible for you to replace the range with a specific version (2.4.7)?

Thank you.

Comment From: sjohnr

Hi @yoni22222, thanks for reaching out and welcome to the project!

Based on the output from your build tool, and looking at our dependencies, this appears to be an issue with com.nimbusds:oauth2-oidc-sdk, because net.minidev:json-smart is a transitive dependency. I've not encountered that issue, so I'm curious in what situation this error occurs, e.g. with/without Spring Boot, maven/gradle, etc. But at any rate, I think you might want to open an issue with the nimbus folks.

I'm going to close this issue for now, but feel free to let me know if you feel I've misunderstood or missed anything obvious and we can reopen if necessary.