SpringBoot Dependency convergence failed: nimbus-jose-jwt

Dependency convergence conflict for com.nimbusds:nimbus-jose-jwt using Spring Boot version 3.1.3

Step by step: 1. Copy the following pom.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.3</version>
        <relativePath/>
    </parent>

    <groupId>com.example.test</groupId>
    <artifactId>dependency-convergence</artifactId>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <phase>validate</phase>
                        <configuration>
                            <rules>
                                <DependencyConvergence/>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

1. Execute mvn validate

Expected result The dependencies should converge, i.e. every (transitive) dependency should have exactly one version specified.

Actual result Two different versions of the nimbus-jose-jwt are imported transitively:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce) on project dependency-convergence: 
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
[ERROR] Failed while enforcing releasability.
[ERROR] 
[ERROR] Dependency convergence error for com.nimbusds:nimbus-jose-jwt:jar:9.24.4 paths to dependency are:
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile
[ERROR]         +-com.nimbusds:nimbus-jose-jwt:jar:9.24.4:compile
[ERROR] and
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-jose:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:nimbus-jose-jwt:jar:9.31:compile

Comment From: wilkinsona

Spring Boot stopped managing the versions of various Nimbus dependencies in 2.6.x in favor of using the versions from Spring Security. Ideally, its spring-security-oauth2-jose and spring-security-oauth2-jose modules could be used in combination without Boot's dependency management having to align the version of com.nimbusds:nimbus-jose-jwt that's used.

Please report this to Spring Security so that they can address the problem in a way that will benefit everyone, not just Spring Boot users.

Comment From: matsev

Thanks, I have filed a new ticket at spring-projects/spring-security#13843