Which Spring Version does my Spring Boot project use? Starter parent in a nutshell

Watch on YouTube

Introduction

"Spring Boot" project packs a lot of dependencies underneath that have been tested and well work together. This speeds up the development process and helps us achieve results faster. However, in some cases, we need to know what those dependencies are. One of the cases that I run from time to time is when I need to determine whether some specific spring boot version is affected by a vulnerability caused by one or more of its dependencies. In some cases, it can be "Spring Core" framework while other's can be log4j (as it happened some time ago). Another situation is when I need to know whether Spring Boot has that particular dependency so that I can use Spring's tested version rather than explicitly specifying my own.

How to determine Spring boot dependencies TL;DR

Using this search.maven.org link go to maven central, choose your Spring Boot version in the dropdown at the top, and use the browser search for your dependency, e.g. for "Spring Core" it would be spring-framework.version

How it works under the hood

spring-boot-dependencies is a .pom file which is also called "Bills of Materials" (BOM). It contains a list of dependencies for a particular "Spring Boot" version that were tested and work well together. By default, all projects "inherit" this configuration allowing "Spring" to provide sensible defaults. This is a good example of Convention over configuration approach where "Spring" allows your code to bootstrap without the need to specify each library version explicitly and ensure there wouldn't be any error while working with imported artifacts.

It's important to note that spring-boot-dependencies doesn't pull any jar's by itself but rather simply lists libraries and their versions. When a dependency is added to a project the build tool (Maven or Gradle) will use the internal logic to scan through BOM to download a "Spring Approved" version and add it to the classpath of a codebase.

However, you won't find spring-boot-dependencies in your project. This is because it's a parent of another .pom called spring-boot-starter-parent. Here's a full inheritance diagram:

your project -> spring-boot-starter-parent -> spring-boot-dependencies

I think the reason to split parent and dependencies poms is a "separation of concerns". While the sole purpose of the latter is to provide a list of dependencies the first has to do a couple more things such as specifying source encoding, resource filtering (properties file), plugin configuration, etc. More information on what parent is doing can be found here.

Maven vs Gradle

Maven

Lastly, I want to quickly go over the build tool difference when it comes to using BOM. I have mentioned the "inheriting from pom" concept which is 100% applicable to "Maven". We can see that in our project:

Ctrl+Click on starter-parent pom:

Gradle

"Gradle" doesn't have a concept of "inheritance", but we still get the same result thanks to the "Gradle" plugins implemented and supported by "Spring" team:

It uses parent and dependencies poms internally to provide the proper version.

Conclusion

Even though it may not be intuitive, I hope this article helped you quickly solve the problem of finding your Spring Core version and gave you more insights into the mechanism of "library resolving" inside Spring.