Subproject downloads dependencies higher version than in lockfiles

After locking dependencies, generating lockfiles successfuly for all subprojects with proper versions, project builds successfully, however adding versions range to dependencies.gradle (after generating lockfiles) causes build error with following messages:

Could not resolve all files for configuration 
Did not resolve 'org.elasticsearch.client:elasticsearch-rest-high-level-client:7.0.1' which has been forced / substituted to a different version: '7.10.0'
Did not resolve 'org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final' which is part of the dependency lock state

With similar messages for other dependencies.

In main project I locked all configurations by
allProjects{ dependencyLocking { lockAllConfigurations() } }
It also happens when I lock buildscript configurations with
buildscript { configurations.classpath { resolutionStrategy.activateDependencyLocking() } }

What is a possible solution to this?

Hey @jbinczyk , did you find a solution for this? I think I have similar issues: I specified “3.+”
for my springboot version. I created the lock files when 3.2.1 was active. Now 3.4.1 is active
and I cannot rebuild using the lockfile from 3.2.1.

$ ./gradlew build
...
   > Did not resolve 'org.springframework.boot:spring-boot-autoconfigure:3.2.1' which has been forced / substituted to a different version: '3.4.1'
   > Did not resolve 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.17' which has been forced / substituted to a different version: '10.1.34'
   > Did not resolve 'org.springframework.boot:spring-boot-starter:3.2.1' which has been forced / substituted to a different version: '3.4.1'
...

Finally read the documentation: Locking Versions

…
The complete validation is as follows:

• Existing entries in the lock state must be matched in the build

• A version mismatch or missing resolved module causes a build failure

• Resolution result must not contain extra dependencies compared to the lock state

So I probably misunderstood the feature of dependency locking. I thought gradle would use the locked version but it seems to warn about version changes

Are you using the Spring Dependency Management plugin?
If so, stop using it.
It is a relict from times when Gradle did not have built-in BOM support and by now does more harm than good.
Even its maintainer recommends not to use it anymore, but instead the built-in BOM support using platform(...).

Hey @Vampire , thx for looking into my issue. You’re right unfortunately.

Are you using the Spring Dependency Management plugin?
Unfortunately “yes”.

I fixed the build.gradle file. I’ll create an example project demonstrating the issue and usage. Without the plugin, the error message changes:

uli@uliip5:.../java-example-gradle-dependency-locking$ ./gradlew build -PspringBootVersion=3.+
> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve org.springframework.boot:spring-boot-dependencies:3.4.1.
     Required by:
         root project :
      > Cannot find a version of 'org.springframework.boot:spring-boot-dependencies' that satisfies the version constraints:
           Dependency path 'com.example:java-example-gradle-dependency-locking:0.0.1-SNAPSHOT' --> 'org.springframework.boot:spring-boot-dependencies:3.4.1'
           Constraint path 'com.example:java-example-gradle-dependency-locking:0.0.1-SNAPSHOT' --> 'org.springframework.boot:spring-boot-dependencies:{strictly 3.2.1}' because of the following reason: dependency was locked to version '3.2.1'

> There is 1 more failure with an identical cause.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 576ms
1 actionable task: 1 executed

The new error message is much clearer, so we do have an improvement.

Still open: How do I get rid off the error message and just do the build using the versions contained within the lock file?

Here is the example: java-example-gradle-dependency-locking. I’ll add a README.md in a few minutes

Thx + best regards, Uli

You do not lock your plugin versions, only your dependency versions.

But you use a dynamic version for the plugin, which then resolves to the latest 3.4.1. For the BOM dependency you use the exact version of the plugin, but there you have lock information and thus get the error.

Either lock your plugin versions too or do not use the BOM_COORDINATES constant which contains the fixed version of the plugin.

PERFECT!

Thank you SO MUCH!

I made this change:

diff --git a/build.gradle b/build.gradle
index ddc7b75..bdb8d78 100644
--- a/build.gradle
+++ b/build.gradle
@@ -20,6 +20,6 @@ repositories {
 }
 
 dependencies {
-       implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
+       implementation platform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}")
        implementation 'org.springframework.boot:spring-boot-starter-web'
 }

and now it works.

I do have to think about locking of the plugin. Maybe it is better to lock it since
otherwise I’m using a different build environment and maybe I’ll get wrong results.

Thanks a lot for getting this solved! You made my day/week/month!

Locking the plugin via

diff --git a/build.gradle b/build.gradle
index ddc7b75..fea4dd4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,3 +1,9 @@
+buildscript {
+    configurations.classpath {
+        resolutionStrategy.activateDependencyLocking()
+    }
+}
+
 plugins {
        id 'java'
        id 'org.springframework.boot' version "${springBootVersion}"

works, too. This is probably better!