https://github.com/thymeleaf/thymeleaf-spring/issues/263 β new Thymeleaf version 3.0.13.RELEASE has been recently released.
However, the apps cannot be safely updated yet, since there is no new version of org.springframework.boot:spring-boot-starter-thymeleaf that includes this Thymeleaf artifact.
The dependency tree looks like this:
+- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.6.1:compile
| +- org.thymeleaf:thymeleaf-spring5:jar:3.0.12.RELEASE:compile
| | \- org.thymeleaf:thymeleaf:jar:3.0.12.RELEASE:compile
AFAIR, this will mean a new Spring Boot release (probably 2.6.2). As recommended in the Spring Boot docs, the version 2.6.1 is inherited from a global property, like this:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Comment From: snicoll
However, the apps cannot be safely updated yet, since there is no new version of org.springframework.boot:spring-boot-starter-thymeleaf that includes this Thymeleaf artifact.
There is no need for you to wait for that. The documentation explains how you can override a dependency (here for Maven). We will update our build in due course as we usually do.
Comment From: dmitry-weirdo
@snicoll
However, the apps cannot be safely updated yet, since there is no new version of org.springframework.boot:spring-boot-starter-thymeleaf that includes this Thymeleaf artifact.
There is no need for you to wait for that. The documentation explains how you can override a dependency (here for Maven). We will update our build in due course as we usually do.
It's very unclear from the doc you pointed to, what should I do to override thymeleaf-spring5 while keeping the spring-boot-starter-thymeleaf at 2.6.1.
As mentioned here, I tried to only add a property in my root pom.xml:
<thymeleaf.version>3.0.13.RELEASE</thymeleaf.version>
, but this does not help with failing dependency-check Maven plugin and Trivy for the built Docker container. Which is pretty obvious since spring-boot-starter-thymeleaf continues to depend on thymeleaf-spring5 version 3.0.12.RELEASE.
Should I also explicitly add a dependency on Thymeleaf and explicitly exclude spring-boot-starter-thymeleaf dependency on thymeleaf-spring5? This will look like a non-nice hack but could help.
Comment From: wilkinsona
If you were inheriting from spring-boot-starter-parent you could override the thymeleaf.version property. As you're importing instead, you should declare you own dependency management for Thymeleaf's modules to override the version to 3.0.13.RELEASE.
Comment From: snicoll
It's very unclear from the doc you pointed to, what should I do
That is also explained 20 lines below in the next section.
Comment From: dmitry-weirdo
@snicoll Thanks for the hint. However, I am still struggling to make it work.
Modified the parent pom's <dependencyManagement>:
<!-- Override Thymeleaf version provided by Spring Boot -->
<!-- see https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.import -->
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
<version>${thymeleaf.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- define spring-boot-dependencies after all overridden dependencies -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
And still the depenecies from the child pom are on the 3.0.12.RELEASE version:
+- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.6.1:compile
| +- org.thymeleaf:thymeleaf-spring5:jar:3.0.12.RELEASE:compile
| | \- org.thymeleaf:thymeleaf:jar:3.0.12.RELEASE:compile
Yes, I made mvn clean + mvn install first.
I also tried to add org.thymleaf:thymeleaf to the parent's <dependencyManagement>. Still the same result (although the artifact is downloaded by Maven while building):
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf</artifactId>
<version>${thymeleaf.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Comment From: snicoll
The spring-boot-starter-parent should not be imported at all, I don't know why you've done that. I am afraid this looks like a Maven usage question at this point. Rather than code snippet, if you can share a sample that exhibits the problem you're facing, we can have a look. You can share the project by attaching a zip to this issue or sharing a link to a GitHub repository.
Comment From: dmitry-weirdo
@snicoll
https://github.com/dmitry-weirdo/spring-boot-thymeleaf-test β I added a repo with an example simple empty project copied from my problematic configuration. Most of the additional dependencies used in my real project were removed. I also commented out the spring-boot-starter-parent dependency, still the same result.
It would be nice if you could take a look.
Comment From: snicoll
This turned out to be a Maven question. Thymeleaf is a JAR, not a bom so those lines are incorrect and should be removed.
Comment From: dmitry-weirdo
@snicoll
π π Great, the nail hit right on the head. After I changed the dependencies for both Thymeleaf artifacts, they are now included with 3.0.13.RELEASE version!
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
<version>${thymeleaf.version}</version>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf</artifactId>
<version>${thymeleaf.version}</version>
</dependency>
From the dependency tree:
+- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.6.1:compile
| +- org.thymeleaf:thymeleaf-spring5:jar:3.0.13.RELEASE:compile
| | \- org.thymeleaf:thymeleaf:jar:3.0.13.RELEASE:compile
And the dependency check is now passing!
Thanks so much!