- edited description
Consider using explicit dependencies rather than version ranges
Issue #289
duplicate
Please consider using explicit dependency versions rather than version ranges. This makes the build non repeatable and expressing an opinion here does not prevent users to override to a more recent version, either via dependency management or by declaring the dependency with a specific version.
There is a non-optional dependency that can lead to subtle issue, such as this one:
java.lang.RuntimeException: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at com.okta.spring:okta-spring-boot-starter:pom:1.4.0 -> com.okta.spring:okta-spring-security-oauth2:jar:1.4.0 -> org.springframework.security:spring-security-oauth2-client:jar:5.3.0.RC1 -> com.nimbusds:oauth2-oidc-sdk:jar:6.23 -> net.minidev:json-smart:jar:2.3-SNAPSHOT
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
12:25:46Caused by: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at com.okta.spring:okta-spring-boot-starter:pom:1.4.0 -> com.okta.spring:okta-spring-security-oauth2:jar:1.4.0 -> org.springframework.security:spring-security-oauth2-client:jar:5.3.0.RC1 -> com.nimbusds:oauth2-oidc-sdk:jar:6.23 -> net.minidev:json-smart:jar:2.3-SNAPSHOT
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
12:25:46Caused by: org.eclipse.aether.collection.DependencyCollectionException: Failed to collect dependencies at com.okta.spring:okta-spring-boot-starter:pom:1.4.0 -> com.okta.spring:okta-spring-security-oauth2:jar:1.4.0 -> org.springframework.security:spring-security-oauth2-client:jar:5.3.0.RC1 -> com.nimbusds:oauth2-oidc-sdk:jar:6.23 -> net.minidev:json-smart:jar:2.3-SNAPSHOT
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
12:25:46Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for net.minidev:json-smart:jar:2.3-SNAPSHOT
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
12:25:46Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not find artifact net.minidev:json-smart:pom:2.3-SNAPSHOT in central (https://repo1.maven.org/maven2)
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
12:25:46Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact net.minidev:json-smart:pom:2.3-SNAPSHOT in central (https://repo1.maven.org/maven2)
12:25:46 at io.spring.start.site.MetadataVerificationTests.dependencyStarterConfigurationIsCorrect(MetadataVerificationTests.java:78)
Using a snapshot for a release by default is definitely not something we want to do. Thanks for the consideration.
Comments (4)
-
reporter -
- changed status to resolved
Made deps explicit: df50efb8
-
- changed status to duplicate
Duplicate of
#261. -
SHould be out as v7.0.3 in a few minutes. Happy coding!
- Log in to comment