为什么Gradle将我的图书馆的传递依赖项更改为新版本?如何停止?
详细信息
我正在为使用Spring Security的公司开发内部插件库。该插件明确声明了对最新版本的Spring Security 4的依赖:
compile ('org.springframework.security:spring-security-core:4.2.13.RELEASE') {
force = true
}
当我在客户端项目中包含插件时,Gradle会将我从Spring Security 4升级到5,这会破坏插件。
compile 'com.mycompany:my-security-plugin:0.3.0-SNAPSHOT'
这是客户端项目中dependencyInsight的输出:
> Task :dependencyInsight
org.springframework.security:spring-security-core:5.1.6.RELEASE (selected by rule)
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.component.category = library (not requested)
]
org.springframework.security:spring-security-core:5.1.6.RELEASE
+--- org.springframework.security:spring-security-config:5.1.6.RELEASE
| \--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4 (requested org.springframework.security:spring-security-config:4.2.13.RELEASE)
| \--- compileClasspath
\--- org.springframework.security:spring-security-web:5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4 (requested org.springframework.security:spring-security-web:4.2.13.RELEASE) (*)
org.springframework.security:spring-security-core:4.2.13.RELEASE -> 5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4
\--- compileClasspath
在所有情况下,在我看来,我都在配置中请求Spring Security 4。我在做什么错了?
我正在使用Gradle 5.1.1。
更新
作为一种解决方法,可以使客户端应用使用特定版本声明对Spring安全性的直接依赖关系。如果可能的话,我正在努力避免这种情况。
更新2
gradlew dependencyInsight --dependency org.springframework.security:spring-security-web的输出:
> Task :dependencyInsight
org.springframework.security:spring-security-web:5.1.6.RELEASE (selected by rule)
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.component.category = library (not requested)
]
org.springframework.security:spring-security-web:4.2.13.RELEASE -> 5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4
\--- compileClasspath
更新3
buildEnvironment通过grails包括以下内容:
+--- org.springframework.boot:spring-boot-gradle-plugin:2.1.9.RELEASE
| | +--- org.springframework.boot:spring-boot-loader-tools:2.1.9.RELEASE (*)
| | +--- io.spring.gradle:dependency-management-plugin:1.0.8.RELEASE
答案 0 :(得分:1)
在假设您使用Spring Dependency Management插件(io.spring.dependency-management)以及Spring Boot Gradle插件(org.springframework.boot)方面我是否正确?这样一来,无论构建设置请求的其他内容如何,这种组合很有可能还会为您管理spring-security-core的最终版本。
我有以下两个Gradle构建彼此相邻(为了简洁起见,省略了Gradle 5.1.1包装器文件):
my-security-plugin
└── build.gradle
my-client
├── build.gradle
└── settings.gradle
从my-client中运行下面的Gradle命令可以给我(大致)与OP的问题相同的输出:
./gradlew dependencyInsight --configuration compile --dependency org.springframework.security:spring-security-core
my-security-plugin/build.gradle plugins {
id 'java'
}
group = 'com.mycompany'
version = '0.3.0-SNAPSHOT'
repositories {
jcenter()
}
dependencies {
compile ('org.springframework.security:spring-security-core:4.2.13.RELEASE') {
force = true
}
compile 'org.springframework.security:spring-security-config:4.2.13.RELEASE'
compile 'org.springframework.security:spring-security-web:4.2.13.RELEASE'
}
my-client/build.gradle plugins {
id 'java'
id 'org.springframework.boot' version '2.1.7.RELEASE'
id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}
group = 'com.mycompany'
version = '1.0.0'
repositories {
jcenter()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-security'
compile 'com.mycompany:my-security-plugin:0.3.0-SNAPSHOT'
}
my-client/settings.gradle includeBuild '../my-security-plugin'
此文件仅用于定义Gradle复合构建; includeBuild不会出现在生产版本中,您宁愿将my-security-plugin发布到某个my-client从其下载的存储库中。
如简介中所述,Spring Dependency Management插件和Spring Boot Gradle插件的组合为您的构建定义了spring-security-core的版本。除了您自己的解决方法之外,还有三种方法可以获取所需的版本:
spring-security-core相同版本:id 'org.springframework.boot' version '1.5.22.RELEASE' ext['spring-security.version'] = '4.2.13.RELEASE' 所有这些解决方案显然都有缺点:
现在您只需要选择邪恶程度较小的;-)