In a project developed with Spring boot 1.5.7, data-redis and data-jpa was used. Data-jpa version is 1.11.7, data-redis version is 1.8.7. I need to add spring-integration to the project. I will use version 4.3.12. data-jpa version in this version is 1.10.10, data-redis version is 1.7.10.
It is not the same as the data-redis and data-jpa versions used in the project.
What problems can this cause ?
That can't cause any problem as far as you don't override any dependencies provided by Spring Boot. You really should just rely on the well-tested composition of dependencies represented in Spring Boot. Even if Spring Integration 4.3.12 brings Spring Data JPA 1.10.10 as a transitive dependency that doesn't mean that it is not overridden by Spring Boot.
I'm not sure which do to point you out, but one of the main goals in Spring Boot is to bring into the target project consistency and cross-compatibility in the dependencies part.
This might help you a bit: https://docs.spring.io/spring-boot/docs/2.0.3.RELEASE/reference/htmlsingle/#using-boot-dependency-management
Related
So in my organization we started to scan all our application for vurnerabilities and the scanner show up with lots of findings.
Some CVE are easy to be fix, but some require extra steps, and I wonder how to properly fix CVE in transitive dependency, expecially Spring Boot transitive dependency, since many in my application we use the spring boot starter dependency to pull all other spring framework related dependency.
For example one of my application still use Spring Boot version 2.6.2 and some of the CVE foundings include CVE-2022-22978 where I need to upgrade the spring-security-core dependency to a minimum version 5.6.9, it is better to upgrade the spring boot version to the latest 2.6.14 or just upgrade the spring-security-core dependency ? My concern on upgrading the spring boot version to the latest will somehow break my application and will cause a major change to the application.
How do we properly fix CVE issue on the transitive dependency while the direct dependency has not release their fix yet?
Is it safe just to upgrade specific transitive dependency? How do we know if the upgraded transitive dependency compatible with its direct dependency?
We have a Spring Boot App packaged as a war file and deployed on Wildfly. When I update the Spring Boot version from 2.5.6 to 2.6.2, I see lots of exception with Spring Autowire of variables. The problems being reported are circular dependency.
Has something changes with new version of Spring that changes how the autowiring works? I tried to research and can find no mention to changes in that area.
Thanks
The thing is that with the new Spring Boot version, circular dependencies are not allowed by default. Check the release notes.
You can get back to the previous behaviour setting the following configuration:
spring.main.allow-circular-references: true
However, I would suggest you revisit the application design.
Suppose I've created spring boot project with version 2.3.5.RELEASE(Project_1) and other user utility library using spring-boot version 2.3.0.RELEASE(Project_2).
if I Project_2 as dependency in Project_1, will it cause any issues as both project uses different versions of spring-boot?
If the library has a hard dependency on version-specific spring boot functionality, then sure, it will cause an issue. Just like with any dependency.
I am adding GraphQL schema wiring to my legacy microservices. I want to embed the wiring inside each of the spring boot services; The challenge I am running into is my project's Spring boot version is 1.4.5 RELEASE and moving it up to 2.x runs into others issues and would be ideal if I can get a basic graphql schema wiring done without updating version to 2.x. I see from documentation that minimal Spring boot version needed is 2.2.x in articles like this:
https://www.graphql-java.com/tutorials/getting-started-with-spring-boot/
According to the gradle build file for the graphql-java-spring library (https://github.com/graphql-java/graphql-java-spring/blob/master/build.gradle) the oldest supported Spring versions are:
springVersion = "5.1.2.RELEASE"
springBootVersion = "2.1.0.RELEASE"
You can try to compile it with an earlier spring boot version, but there is probably a lot of work to do.
When using the spring plugin for struts 2, is it possible to use the latest version of spring or are you stuck with the version referenced in the plugin? For example in my project I am using struts 2.3.16.3 and its spring plugin automatically uses spring 3.0.5 . So if I add spring 4.1 to my pom as a dependency then there are multiple versions of spring added to the classpath.
You shouldn't have more than one Spring library in your classpath - disaster will be bound to happen. I guess you can either exclude the spring dependency in that plugin or set its version to the one you want.
The main problem with this approach is moving between major versions (3.x to 4.x) - if Spring is respecting Semantic Versioning incompatibilities will exist between the two versions and it is possible (or likely) that struts2-spring-plugin is using something that changed.
Edit: Comment below reports successful usage of struts2-spring-plugin and Spring4.