While porting to Spring Boot 2.0.0.RC1 I noticed that it uses managed version 2.9.2 for jackson-core and jackson-databind and 2.9.0 for jackson-annotations.
Why do you use 2.9.0 for jackson-annotations and not 2.9.2?
According with their jackson-annotations documentation:
Annotations module will never contain changes in patch versions,
only .0 releases can have changes. We may still release patch versions, but
they will be identical to .0 versions, and only released for convenience
(developers can line up all Jackson components with same patch version number).
It can be found in: https://github.com/FasterXML/jackson-annotations/blob/master/release-notes/VERSION
Related
For a given spring version how do I find out which if the latest version of a component is supported or not,For example-if we are using spring boot (v1.5.8.RELEASE) ,how do I know if that spring version supports the latest version of a component say netty-all (4.1.63.Final) or the spring boot version does not support it and needs a spring version upgrade
I guess you put the version into your POM and run your tests. Then you'll see.
I already have parent management in my app
springboot version is 2.1.7
springcloud version is Greenwich.SR2
I want import this
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-zipkin</artifactId>
<version>2.2.3.RELEASE</version>
but final version is 2.1.X
how to lock dependency version
You have everything messed up.you're using sleuth in version 2.2.x that requires boot 2.2.x or 2.3.x and is part of the hoxton release train but you're using greenwich release train with an incompatible version of boot. Please don't use explicit version of cloud projects but get them from the bom. If you want to use latest sleuth, please use latest boot and latest release train
The Spring Boot 2.1.1 managed version of Jackson is 2.9.7 which is superseded by Jackson 2.9.8. Our build is reporting exploitable vulnerabilities related to the older Jackson version.
If this point change in the managed dependency version cannot be accommodated promptly by Spring, is there a property I can set to force the version bump in my build.gradle?
Yes there is and it is even documented:
To customize a managed version you set its corresponding property.
To customize Jackson, you can add the following to your build:
ext['jackson.version'] = '2.9.8'
Jackson 2.9.8 has been upgraded and will be available as of 2.0.8.RELEASE due next week.
Can I know about what are the spring-boot supported versions for log4j. Because I use spring-boot version 1.5.9. It is already support for log4j2 and I want to know what is the latest version that support for log4j.
All latest versions of Spring Boot supports log4j2.
Current version of Spring Boot 2.0.0 supports log4j2 version 2.10.0. You can verify other dependency versions from here.
What are the compatible release version for jars mentioned below for SPRING 3.2.8 release
spring-data-commons-core
spring-data-mongodb
spring-integration-core
spring-ws-core
spring-xml
You could try these jars:
spring-data-commons-core-1.2.0.RELEASE.jar
spring-data-mongodb-1.2.0.RELEASE.jar
spring-integration-core-3.0.0.RELEASE.jar
spring-ws-core-2.1.4.RELEASE.jar
spring-xml-2.0.3.RELEASE.jar
When you upgrade to Spring 4.0, then you could have a look at the spring-boot-dependencies.pom, it contains a set of Dependencies (and there version) that work together.
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
Btw: I recommend to update to Spring 4.0, to be able to update to 4.1 when necessary. Because:
Both (4.0.5 and 3.2.9) of those are designed as a final feature release in the respective line - we will only consider further releases from the 4.0.x and 3.2.x branches in case of serious bugs now. (Spring Blog: Spring Framework 4.0.5 & 3.2.9 released - next stop: 4.1)