Home > Enterprise >  Updating library version, but transitive dependenies stay the same
Updating library version, but transitive dependenies stay the same

Time:12-22

In order to fix CVE-2022-41881 I want to update the dependency for netty under org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.7.1 from version 1.0.20 to 1.1.1

This is the section of the dependency tree before the change:

[INFO] |   - org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.7.1:compile
[INFO] |  |  \- io.projectreactor.netty:reactor-netty-http:jar:1.0.20:compile
[INFO] |  |      - io.netty:netty-codec-http:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-common:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-buffer:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-codec-http2:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-resolver-dns:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-codec-dns:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-transport-native-unix-common:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-transport-classes-epoll:jar:4.1.78.Final:compile
[INFO] |  |     \- io.projectreactor.netty:reactor-netty-core:jar:1.0.20:compile
[INFO] |  |        \- io.netty:netty-handler-proxy:jar:4.1.78.Final:compile
[INFO] |  |           \- io.netty:netty-codec-socks:jar:4.1.78.Final:compile

When forcing the use of a newer dependency for reactor-netty-http like this:

<dependency>
  <groupId>io.projectreactor.netty</groupId>
  <artifactId>reactor-netty-http</artifactId>
  <version>1.1.1</version>
</dependency>

I end up with this dependency tree:

[INFO] |  |  \- io.projectreactor.netty:reactor-netty-http:jar:1.1.1:compile
[INFO] |  |      - io.netty:netty-codec-http:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-common:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-buffer:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-codec-http2:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-resolver-dns:jar:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-codec-dns:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.78.Final:compile
[INFO] |  |      - io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.78.Final:compile
[INFO] |  |     |   - io.netty:netty-transport-native-unix-common:jar:4.1.78.Final:compile
[INFO] |  |     |  \- io.netty:netty-transport-classes-epoll:jar:4.1.78.Final:compile
[INFO] |  |     \- io.projectreactor.netty:reactor-netty-core:jar:1.0.20:compile
[INFO] |  |        \- io.netty:netty-handler-proxy:jar:4.1.78.Final:compile
[INFO] |  |           \- io.netty:netty-codec-socks:jar:4.1.78.Final:compile

As you can see the reactor-netty-http has the correct version, but all the dependencies underneath are still in the same version also according to Maven central they should have 4.1.86.Final

These dependencies are only defined through reactor-netty-http, so there should not be anything else that forces it to a lower version.

Any idea why an outdated version is used here?

CodePudding user response:

The Netty version is controlled by Spring Boot. In order to update it, in your pom.xml add the property below

<properties>
    <netty.version>4.1.86.Final</netty.version>
</properties>

See more here

CodePudding user response:

If you are using the spring-boot-dependencies via import scope (BOM) in your project instead of the spring-boot-starter-parent as parent of your project. You have to beware of the following that you have to define the netty-bom before the spring-boot-dependencies bom in your dependencyManagement.

The following will overwrite the versions of the netty parts correctly:

  <dependencyManagement>
       ...
       <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-bom</artifactId>
        <version>4.1.86.Final</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>
        <version>${spring.boot.version}</version>
        <scope>import</scope>
        <type>pom</type>
      </dependency>
    </dependencies>
  </dependencyManagement>

Page link:https//www.codepudding.com/Enterprise/649979.html

Prev:Resilience4J Retry not auto-configured in Spring boot 3
Next:How to use reflection to invoke a private field without using "setAccesible()"
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding