Spring Security Manage Bouncycastle optional dependencie versions in a Maven BOM

Summary

I'm using Maven and spring-security-crypto. I need to import the org.bouncycastle:bcpkix-jdk15on optional dependency. I don't want to manage myself the version number of this dependency.

Actual Behavior

I have to set explicitly the version of bcpkix-jdk15on in my pom.xml:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
    <version>1.64</version>
</dependency>

Expected Behavior

Use a BOM as said in the Spring Security documentation:

<dependencyManagement>
    <dependencies>
        <!-- ... other dependency elements ... -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-bom</artifactId>
            <version>5.2.1.RELEASE</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

and don't set the version number explicitly:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15on</artifactId>
</dependency>

Configuration

Version

5.2.1.RELEASE, nothing seems better on master.

Comment From: rwinch

Thanks for the suggestion, but we do not want to transitively bring in unnecessary dependencies. If you are wanting managed dependencies, I'd suggest using spring-boot-dependencies to manage your versions https://www.baeldung.com/spring-boot-dependency-management-custom-parent

NOTE: You don't need to use anything else from Spring Boot to benefit from dependency management.