For Spring Boot 2.4 and 2.5 we'd like to align our dependency management for nimbus with whatever Spring Security declares. We should update our build to:
- Exclude them from bomr
- Read the Spring Security version and parse their github
- Enforce our version matches
We can parse the lockfile for earlier versions of Spring Security and the dependencies file for later ones.
Comment From: wilkinsona
See also https://github.com/spring-projects/spring-boot/issues/21279.
Comment From: wilkinsona
We've decided to take a slightly different approach and use Bomr to keep things aligned.