Import BOM without the platform/enforcedPlatform keywords

Hello,
in Gradle manual at:
https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import
I see that to import a BOM a should use the syntax:

dependencies {
    implementation platform('mygroup:mybom:1.0')
}

(or with enforcedPlatform to enforce module versions)

But in the tutorial at:
https://guides.gradle.org/building-spring-boot-2-projects-with-gradle/#applying_the_spring_boot_plugin_and_configuring_the_dependencies

I see that the Spring Boot BOM is imported without using the platform keyword.
I tried to search the Gradle docs and Google to see if the platform keyword could just be omitted or if the two syntaxes cause two different behaviours, but I was not able to find anything useful.

Thanks in advance,
Mauro

Hi @mauromol,

The syntax used in the Spring tutorial is added by the ‘io.spring.dependency-management’ plugin. That plugin is available for a long time and was created before Gradle introduced support for BOMs in the core (the platform keyword). We are working with the Spring team to clarify the situation and to update documentation. But it might still take some time.

The recommendation is already:
If you do not need anything specific from the ‘io.spring.dependency-management’ plugin, you do not need to use it anymore. And you can/should use platform(). And not apply the plugin even though it is mentioned in the tutorial.

Hi Jendrick,
thanks for your help. The mentioned Spring tutorial (which is hosted on Gradle website), however, says this:

Next we need to add the dependencies needed to compile and run our example as we are not using Spring’s dependency management plugin. For that we use the Gradle’s BOM support and load the Spring Boot BOM file to be able to resolve all required dependencies with the proper version.

So, the tutorial seems indeed to suggest it’s NOT using the io.spring.dependency-management plugin, and this is why I got confused. It’s however true that, on the same page, the tutorial says that the following plugins are needed:

plugins {
    id 'java'
    id 'org.springframework.boot' version '2.0.5.RELEASE'
    id 'io.spring.dependency-management' version '1.0.7.RELEASE'
}

So, indeed, the tutorial seems to contradict itself.

Apart from this aspect, another thing which is not clear in that tutorial, IMHO, is the requirement of strictly requiring snakeyaml version to be 1.19: I mean, the tutorial says:

To comply with the Spring Boot BOM the components block is needed to strictly use the snakeyaml dependency with version 1.19 as the spring-beans dependency has version 1.20 as transitive dependency.

Apart from the fact that the 2.0.5.RELEASE of the Spring Boot BOM is now old, I see that it indeed declares version 1.19 of snakeyaml, but also version 5.0.9.RELEASE of spring-framework-bom which in turn declares version 5.0.9.RELEASE of spring-beans which requires snakeyaml 1.20. I was wondering though why it should be a problem from a consumer point of view: the Spring Boot BOM is requiring a minimal version of snakeyaml of 1.19, isnt’ it? Why the default conflict resolution (which would upgrade snakeyaml to version 1.20) is not desirable here?

Mauro

Sorry I missed that it is our tutorial. It is horribly outdated :confused: as it was written for Gradle 4 (back then the BOM support was still “beta” and worked a bit differently). And yes, it should no longer recommend the ‘io.spring.dependency-management’ plugin.

I also don’t understand the strictly thing. I agree with what you wrote. The only reason to do it there would be if something in spring-beans breaks through the 1.20 update. But if that is the case, the guide should be clear about that. And even then it is debatable if using a component metadata rule is correct here (instead of defining a strict constraint directly in the dependencies block).

I am a bit ashamed of this content now to be honest. I’ll see that we get it updated soon.

Thank you Jendrik, greatly appreciated!

1 Like