Hello, I'll keep this message short, because I think it might have already been reported. But I have not been able to find it.
After today's upgrade to the new version 2.4.7 I get some dependency convergence errors around the spring-boot-starter-data-jpa and the corresponding spring-data library.
errors example : spring-boot-starter-jdbc -> spring-core:5.3.8 spring-data-jpa -> spring-core:5.3.7
same for -> spring-context (5.3.8 vs 5.3.7) -> spring-beans (5.3.8 vs 5.3.7) -> spring-jdbc (5.3.8 vs 5.3.7) -> spring-tx (5.3.8 vs 5.3.7)
Many thanks, Steffen
Comment From: wilkinsona
You should use Spring Boot's dependency management, either via spring-boot-starter-parent or importing spring-boot-dependencies to ensure that Spring Framework 5.3.8 is used consistently. Alternatively, if you don't want to use spring-boot-starter-parent or import spring-boot-dependencies you could import Spring Framework's bom instead.
If you are already using one of the approaches described above and are still seeing dependency convergence problems, please provide a minimal sample that reproduces the problem. You can share it with us by zipping it up and attaching it to this issue or by pushing it to a separate repository on GitHub.
Comment From: vitamindit
Hello,
thanks - I have attached a pom.xml below. however, for the configured enforcer plugin does not bring the error as it occurs in my multi-module project. There are apparently different results as maven picks one of the versions, possibly depending on which scope was configured.
But as you can use by using mvn dependency:tree -Dverbose with the simple pom.xml attached ... in the resulting dependency tree output you can see that there are some conflicts between spring dependencies like
(org.springframework:spring-beans:jar:5.3.8:compile - version managed from 5.3.7; omitted for duplicate)
gives.
These problems were not experienced before. Including 2.4.6. I always update very early. Only to 2.5.x I can not upgrade yet.
Dependency tree output
[INFO] sb-bugs:deperror:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework:spring-core:jar:5.3.8:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.3.8:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.4.7:compile
[INFO] | +- org.springframework.boot:spring-boot:jar:2.4.7:compile
[INFO] | | +- (org.springframework:spring-core:jar:5.3.8:compile - omitted for duplicate)
[INFO] | | \- org.springframework:spring-context:jar:5.3.8:compile
[INFO] | | +- (org.springframework:spring-aop:jar:5.3.8:compile - omitted for duplicate)
[INFO] | | +- (org.springframework:spring-beans:jar:5.3.8:compile - version managed from 5.3.7; omitted for duplicate)
[INFO] | | +- (org.springframework:spring-core:jar:5.3.8:compile - omitted for duplicate)
[INFO] | | \- (org.springframework:spring-expression:jar:5.3.8:compile - version managed from 5.2.13.RELEASE; omitted for duplicate)
... cut
Example pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>sb-bugs</groupId>
<artifactId>deperror</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<properties>
<spring.boot.version>2.4.7</spring.boot.version>
<maven.compiler.target>16</maven.compiler.target>
<maven.compiler.source>16</maven.compiler.source>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<!-- Custom parent pom => Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0-M3</version>
<executions>
<execution>
<id>enforce-dependency-convergence</id>
<phase>validate</phase>
<configuration>
<rules>
<dependencyConvergence>
<uniqueVersions>true</uniqueVersions>
</dependencyConvergence>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Comment From: wilkinsona
Thanks.
Those messages aren't conflicts. They're examples of the dependency management working as it should and ensuring that consistent versions are used. In other words, it's exactly what I'd expect to see when dependency convergence problems are being avoided. That matches with the fact that in your example above the enforcer plugin doesn't fail.
If you'd like us to spend some more time investigating, we'll need to see a sample multi-module project that reproduces the enforcement failure.
Comment From: vitamindit
Thank you ... of course I'll look into it too. Conflicts maybe not, but small "uncleanliness" that just fall on my feet :) Anyway. I have here still the error narrowed from my multi-module project. Maybe that helps too.
Here are some error message from the build-log:
+-org.springframework.boot:spring-boot-starter-data-jpa:2.4.7
+-org.springframework.boot:spring-boot-starter-jdbc:2.4.7
+-org.springframework:spring-jdbc:5.3.8
+-org.springframework:spring-beans:5.3.8
.... conflicts with
+-org.springframework.boot:spring-boot-starter-data-jpa:2.4.7
+-org.springframework.data:spring-data-jpa:2.4.9
+-org.springframework.data:spring-data-commons:2.4.9
+-org.springframework:spring-beans:5.3.7
Second example
+-org.springframework.boot:spring-boot-starter-data-jpa:2.4.7
+-org.springframework.boot:spring-boot-starter-jdbc:2.4.7
+-org.springframework:spring-jdbc:5.3.8
... conflicts with
+-org.springframework.boot:spring-boot-starter-data-jpa:2.4.7
+-org.springframework.data:spring-data-jpa:2.4.9
+-org.springframework:spring-orm:5.3.7
+-org.springframework:spring-jdbc:5.3.7
As soon as I have new insight I will report it here.
Comment From: vitamindit
The situation seems to be the following. I have a few pom-modules for the complex dependency management within my multi-module project in which I centrally readjust the dependencies of Spring Boot. This creates few different dependency paths to the Spring Boot libraries - e.g. one for web one for data-jpa and another for security. Obviously these paths lead to different version resolutions because sb starter data-jpa uses older versions than sb starter web 5.3.7 vs 5.3.8.
Of course, one can now discuss whether the project is too big. Or whether the way of tweaking the dependency management should be possible at all. I hope this is not the matter now and that we are talking about the quality of dependency management in spring boot - objectively.
What I would like to point out ... is that the convergence of the spring-core libraries between the following two development branches always matched in the past:
spring-boot-starter-data(-jpa)... affected version 2.4.7 andspring-data(-jpa)... affected version 2.4.9
Which are merged and managed together by spring-boot.
But now drifting apart and becoming a problem in customized projects.
Comment From: wilkinsona
What you're observing is a symptom of the slightly different release cadences of the project's involved. Spring Boot 2.4.7 was released after Spring Framework 5.3.8 but there's yet to be a Spring Data release. The next Spring Data release will pick up the latest Spring Framework 5.3.x release that's available at that time.
This situation is quite common among the Spring projects that Spring Boot manages. You haven't seen the problem with Spring Data before as it generally releases on top of every Framework release, but did not do so in this latest batch of releases. Other Spring projects that Spring Boot manages release far less frequently, for example Spring Retry and Spring REST Docs. The alternative would be to release new versions of every project each time there's a new Spring Framework release, even if there have been no changes. The benefits of this are minimal and the downsides in terms of time taken and confusion caused by new releases with no changes are high.
Appropriately configured dependency management will address any dependency convergence issues. As stated above, we recommend using spring-boot-starter-parent or importing spring-boot-dependencies for that. In the absence of a sample project with appropriately configured dependency management that reproduces a dependency convergence problem I'm going to close this issue now as there's no action to be take here.
Comment From: vitamindit
Thank you for the explanation. That explains it, of course.
I am working on the example right now. It will also help me to improve the matter. If you are interested, I would be pleased to post it as well.