Version from the BOM bumped unexpectedly

guai · March 2, 2022, 10:36am

Hi
In my rootProject I have

allprojects {
    ...
    dependencies {
        configurations.forEach {
            it(platform("org.springframework.boot:spring-boot-dependencies:2.2.8.RELEASE"))
        }
    }
}

Then for some reason in the ..\gradlew dependencies output of a subproject I see this:

runtimeClasspath - Runtime classpath of source set 'main'.
+--- org.springframework.boot:spring-boot-dependencies:2.2.8.RELEASE
|    +--- org.springframework.boot:spring-boot:2.2.8.RELEASE -> 2.6.3 (c)

…

|    |    |    |    +--- org.springframework.boot:spring-boot:2.4.4 -> 2.6.3

And it end up in my fat jar
I have no 2.6.3 declared anywhere in the build scripts

Why is it bumped to 2.6.3 and how do I make it use 2.2.8.RELEASE everywhere?

Vampire · March 2, 2022, 11:16am

Besides that it is a code-smell to use allprojects because it couples projects, that it is another smell that you access configurations from within dependencies as it is not a property of DependencyHandlerScope but from the outer Project scope, and that using forEach is not a good idea as you will miss configurations added later (better use configureEach), you can use the dependencyInsight task or a build scan to find out where exactly this version is coming from.

To downgrade the version you might need to use forced versions, which in case of the usage of a platform / BOM means that you use enforcedPlatform(...) instead of platform(...) if it is in an end-product.

guai · March 2, 2022, 11:22am

forEach was kind of extreme measure to make it work. Didn’t help though.
We actually do want all of our projects to use the same boot version.
Will try configureEach and enforcedPlatform.
Thanks

guai · March 2, 2022, 11:39am

configureEach changed nothing.
In the dependencyInsight output there are no mentions of 2.6.3.
if I enforcedPlatform would it prevent me from adjusting versions in subprojects? I need them different in a couple of places.

Vampire · March 2, 2022, 12:59pm

In the dependencyInsight output there are no mentions of 2.6.3 .

Can you show the output?
Can you do a build scan instead?
They are much more usable and detailed.

if I enforcedPlatform would it prevent me from adjusting versions in subprojects? I need them different in a couple of places.

Probably, I never used enforcedPlatform as I was taught it is just a last restort kind of thing if you have no other options.

guai · March 2, 2022, 1:32pm

I think I found one problematic dependency, now its only 2.4.4
enforcedPlatform enforces the version, but I think it’s better to find all the culprits.
Maybe build scan will help me with it. Never used those yet.

Vampire · March 2, 2022, 2:44pm

definitely (imho at least)

Topic		Replies	Views
Reusing BOM from parent project Help/Discuss	5	1469	March 2, 2022
Java-platform : How to add my subprojects into BOM Help/Discuss	3	862	March 14, 2023
Where to configure platform version alignment rules? Help/Discuss	1	377	April 21, 2023
Subproject downloads dependencies higher version than in lockfiles Help/Discuss	5	659	January 12, 2025
Library grouping does not work with versions inherited from parent BOM file Help/Discuss	2	1200	April 10, 2018

Version from the BOM bumped unexpectedly

Related topics