Watch on YouTube
"Spring Boot" project packs a lot of dependencies underneath that
have been tested and well work together. This speeds up the development
process and helps us achieve results faster. However, in some cases, we
need to know what those dependencies are. One of the cases that I run
from time to time is when I need to determine whether some specific
spring boot version is affected by a vulnerability caused by one or more
of its dependencies. In some cases, it can be "Spring Core" framework
while other's can be
log4j (as it happened some time ago).
Another situation is when I need to know whether Spring Boot has that
particular dependency so that I can use Spring's tested version rather
than explicitly specifying my own.
How to determine Spring boot dependencies TL;DR
Using this search.maven.org
link go to maven central, choose your Spring Boot version in the
dropdown at the top, and use the browser search for your dependency,
e.g. for "Spring Core" it would be
Select Spring Boot Version:
Find Spring Version:
How it works under the hood
spring-boot-dependencies is a
which is also called "Bills of Materials" (BOM). It contains a
list of dependencies for a particular "Spring Boot" version that were
tested and work well together. By default, all projects "inherit" this
configuration allowing "Spring" to provide sensible defaults. This is a
good example of Convention over configuration approach where
"Spring" allows your code to bootstrap without the need to specify each
library version explicitly and ensure there wouldn't be any error while
working with imported artifacts.
It's important to note that
doesn't pull any
jar's by itself but rather simply
lists libraries and their versions. When a dependency is added to a
project the build tool (Maven or Gradle) will use the internal logic to
scan through BOM to download a "Spring Approved" version and add it to
the classpath of a codebase.
However, you won't find
spring-boot-dependencies in your
project. This is because it's a parent of another
spring-boot-starter-parent. Here's a full
your project -> spring-boot-starter-parent -> spring-boot-dependencies
I think the reason to split
dependencies poms is a "separation of concerns". While the
sole purpose of the latter is to provide a list of dependencies the
first has to do a couple more things such as specifying source encoding,
resource filtering (properties file), plugin configuration, etc. More
information on what
parent is doing can be found here.
Maven vs Gradle
Lastly, I want to quickly go over the build tool difference when it comes to using BOM. I have mentioned the "inheriting from pom" concept which is 100% applicable to "Maven". We can see that in our project:
Starter Parent pom.xml:
"Gradle" doesn't have a concept of "inheritance", but we still get the same result thanks to the "Gradle" plugins implemented and supported by "Spring" team:
Gradle dependency management plugin:
internally to provide the proper version.
Even though it may not be intuitive, I hope this article helped you quickly solve the problem of finding your Spring Core version and gave you more insights into the mechanism of "library resolving" inside Spring.