Slackbot
09/14/2022, 3:07 PMJohn
09/14/2022, 3:07 PMCannot select module with conflict on capability 'com.grubhub.roux5:roux-bom-derived-platform:5.26.5' also provided by [com.grubhub.roux5:roux-bom:5.26.5(platform-runtime), com.grubhub.roux5:roux-bom:5.26.5(enforced-platform-runtime)]
Fleshgrinder
09/14/2022, 3:18 PM[versions]
dependency = '1.2.3'
[libraries]
org-group-module-a = { module = 'org.group:module-a', version.ref = 'dependency' }
org-group-module-b = { module = 'org.group:module-b', version.ref = 'dependency' }
dependencies {
api(libs.org.group.module.a)
api(libs.org.group.module.b)
}
If you actually want to expose the BOM (which sometimes sadly is necessary because too many vendors do not know how to work correctly with BOMs) then api(platform("..."))
is the way to go, even in a library.Fleshgrinder
09/14/2022, 3:19 PMJohn
09/14/2022, 3:40 PMJohn
09/14/2022, 3:41 PMJohn
09/14/2022, 3:42 PMFleshgrinder
09/14/2022, 3:43 PMplatform
and not enforcedPlatform
it should work, yes. Gradle should also warn or even refuse it publish things with an enforcedPlatform
. This really is only for edge cases.
I would still recommend to strictly use version catalogs for managing versions and BOMs for alignment, and to not mix them. In a perfect world nobody would ever have to have a BOM in any build script, unless it is their own.Jean Helou
09/14/2022, 3:50 PMIn a perfect world nobody would ever have to have a BOM in any build script, unless it is their own.In a perfect world nobody would ever have to have a BOM in any build script, unless it is their own.hi, I find this discussion very interesting as I am investigating how to replace spring's dependency management plugin with more native gradle constructs. Am I correct to assume that such a case is one of the edge case where depending on a bom is inevitable ? I have been unable to find a version catalog published by the spring boot project but I may have missed things
Fleshgrinder
09/14/2022, 3:54 PMimplementation(platform(SpringBootPlugin.BOM_COORDINATES))
(and if you need it in other configurations add it there too, e.g. kapt(platform(SpringBootPlugin.BOM_COORDINATES))
).
The only reason why the Spring team still provides the plugin is for users to easily change versions of broken transitive dependencies without knowing the ins and outs of how Gradle resolution works. Well, this applies to newer Gradle versions. Old Gradle versions lacked a lot of features and thus forced Spring to provide the plugin, but those days are gone.
See also https://github.com/spring-projects/spring-boot/issues/29588#issuecomment-1028861122Jean Helou
09/14/2022, 4:08 PMimport
that bom using spring's dependency plugin then override the dependencies that didn't resolve to the correct versions using dependencies
entries.
I must say I am unsure what a proper idiomatic gradle override would look like and how version catalogs and platforms fit in there.
I am trying to search this slack, as well as the forums and internet at large but without luck until nowFleshgrinder
09/14/2022, 4:10 PMJean Helou
09/14/2022, 4:13 PMJean Helou
09/14/2022, 4:14 PMFleshgrinder
09/14/2022, 4:17 PMJean Helou
09/14/2022, 4:19 PMPhanindra R
09/15/2022, 12:40 AMbom:1
at all? If not, you could exclude it from the published .pom and .module files by using a custom Gradle configuration + resolved versions in publications. Here's a sample project which demonstrates that - https://github.com/jjohannes/gradle-demos/tree/main/internal-platformVampire
09/16/2022, 10:18 AMThe only reason why the Spring team still provides the plugin is for users to easily change versions of broken transitive dependencies without knowing the ins and outs of how Gradle resolution works. Well, this applies to newer Gradle versions. Old Gradle versions lacked a lot of features and thus forced Spring to provide the plugin, but those days are gone.
That is not actually true @Fleshgrinder. Don't get me wrong, I also prefer and advice to use Gradle native functionality if it is just about using a BOM. But the plugin has additional unique functionality people might want to use like porting over imho broken-by-design features from Maven to the Gradle world and other things. So the plugin is not only maintained because of the version overwrites. ;-)
Fleshgrinder
09/16/2022, 11:25 AMVampire
09/16/2022, 4:47 PMFleshgrinder
09/16/2022, 5:09 PMTo manage dependencies in your Spring Boot application, you can either apply the {dependency-management-plugin}[`io.spring.dependency-management`] plugin or, if you are using Gradle 6 or later, use Gradle's native bom support.
The primary benefit of the former is that it offers property-based customization of managed versions, while using the latter will likely result in faster builds.
I know that Gradle did not support various BOM features Maven did (e.g. exclusions), and I know that Gradle resolves dependencies differently than Maven and that some people tried to bend Gradle to resolve them the same way (not sure if this plugin did). However, Maven resolving is broken and Gradle does support all BOM features by now (well, during consumption; it is not possible for us to use all BOM features with the platform
plugin yet https://github.com/gradle/gradle/issues/12214).
Anyway, unless you have some credible sources I stick with what I've learned over the past years and do not use the dependency management plugin in any of my projects. So far I faired well with this and do not fear recommending anyone to do the same.Andy Wilkinson
09/16/2022, 6:23 PMSo the plugin is not only maintained because of the version overwrites. 😉@Vampire I'm afraid you're mistaken. That is the only reason that the plugin is still maintained. Support for Maven-style exclusion semantics will be removed in the future . In fact, it would have already happened if we'd had the bandwidth for it. I'd strongly encourage you to look at using Gradle's built-in platform support and find an alternative way of dealing with the lack of property-based version overrides.
Fleshgrinder
09/16/2022, 7:31 PMAndy Wilkinson
09/16/2022, 7:34 PMFleshgrinder
09/16/2022, 7:52 PMspring:platform
and two modules called spring:a
and spring:b
. All of them are properly released together with a matching version (just like in the Spring case). The spring:platform:1
references spring:a:1
and `spring🅱️1`; the spring:platform:1
references spring:a:1
and `spring🅱️1`; and so forth. Now if I do…
dependencies {
implementation("spring:a:1")
implementation("spring:b:2")
}
…things are not going to be aligned, since I did not manually add the BOM. Suppose now that both modules reference the respective BOM and we would get auto-alignment (not only in Gradle, but also in Maven).
I see a lot of projects where people don’t know what BOMs are and they keep on writing the versions they need manually everywhere. Having all the modules include their BOM would solve possible issues they might encounter. This is especially true if they inherit those dependencies through transitives.
I also see most projects not having BOMs, and those who do are not actually referencing their own BOMs in their dependencies. Ultimately reducing the value the BOM can actually provide.
A project I know of where this is done correctly is Jackson, see: https://github.com/FasterXML/jackson-annotations/blob/082ee2812f0a7019516181947e591d8ed624425a/pom.xml#L129-L137Andy Wilkinson
09/16/2022, 7:55 PMSuppose now that both modules reference the respective BOM and we would get auto-alignment (not only in Gradle, but also in Maven).I don't believe that's the case. Assuming Maven pom metadata here as that's the lowest common denominator, I don't believe a bom that's imported or used as a parent in those modules will affect the dependency graph of a consuming project. For example, Maven will just take the version that's nearest to the root of the graph so you'll end up with
spring:a:1
and spring:b:2
as the versions declared in the pom are only one edge from the root.Fleshgrinder
09/16/2022, 7:57 PMAndy Wilkinson
09/16/2022, 8:02 PMspring-boot-bom
that was a true bill of materials for Boot's own modules. I don't think Boot's modules should reference spring-boot-dependencies
as that's too opinionated and we intentionally allow people to choose not to use Boot's management of third-party dependencies.John
09/16/2022, 8:14 PMAndy Wilkinson
09/16/2022, 8:15 PMFleshgrinder
09/16/2022, 8:19 PMFleshgrinder
09/16/2022, 8:57 PMVampire
09/19/2022, 4:16 PM@Vampire I'm afraid you're mistaken. That is the only reason that the plugin is still maintainedNo need to @Andy Wilkinson, I'm happy I was outdated. That was the info I was given by some Spring guy (don't remember who it was) when I said similar things as Fleshgrinder here. So things probably have changed to the better in the meantime. 🙂
Anyway, unless you have some credible sources I stick with what I've learned over the past years and do not use the dependency management plugin in any of my projects. So far I faired well with this and do not fear recommending anyone to do the same.@Fleshgrinder as said before, I would never recommend anything else and I'm also never using the dep-management plugin and always advise to use the built-in support when I see it used. I just said that the dep-management is not the only functionality of the plugin that someone might want to use as that was what I was told in the past by some Spring guy when I said the plugin is useless with the added native BOM support in Gradle. :-)