Inherit Spring Boot managed dependency versions in grails-bom#15730
Open
jamesfredley wants to merge 2 commits into
Open
Inherit Spring Boot managed dependency versions in grails-bom#15730jamesfredley wants to merge 2 commits into
jamesfredley wants to merge 2 commits into
Conversation
Remove version pins from the root dependencies.gradle that duplicate versions already managed by the spring-boot-dependencies BOM (Spring Boot 4.1.0). Where our pin equals Spring Boot's managed version it is dead weight that only blocks free patch and security updates when Spring Boot bumps the dependency, so it is removed and inherited from Spring Boot. Removed (each equal to Spring Boot 4.1.0's managed version): - byte-buddy 1.18.10 (and byte-buddy-agent) - commons-codec 1.21.0 - commons-lang3 3.20.0 - jakarta.servlet-api 6.1.0 - jakarta.validation-api 3.1.1 - junit / junit-jupiter 6.0.3 (the 12 junit-* entries plus the redundant junit-bom platform import; Spring Boot already imports junit-bom:6.0.3) - mongodb 5.8.0 (bson, mongodb-driver-core, mongodb-driver-sync, bson-record-codec) - rxjava3 3.1.12 Also drop the jakarta.servlet/jakarta.validation excludes from grails-bom/base/build.gradle. They only existed to win a since-resolved selenium-versus-Spring-Boot conflict; both versions now match Spring Boot, so its platform can manage them. Kept intentionally: graphql-java 25.0 is retained as a deliberate drift tripwire (graphql-java-extended-scalars is not managed by Spring Boot and must move in lockstep), with a rationale comment added; groovy 4.0.32 and selenium 4.38.0 remain intentionally divergent; spring-retry stays because Spring Boot 4 dropped its management. The legacy grails-shell-cli derives its own dependency management by parsing the published grails-bom POM and previously skipped third-party imports such as spring-boot-dependencies. Teach GrailsDependencyVersions to also follow third-party imported BOMs, with cycle protection and first-writer-wins precedence so Grails' own pinned versions still win, so the CLI keeps surfacing the versions now inherited from Spring Boot. Verified by regenerating the grails-bom and grails-base-bom POMs (only the removed constraints disappear; the Spring Boot import remains), confirming every affected module resolves the removed dependencies to Spring Boot's identical versions, and running validateDependencyVersions across all modules. Fixes #15674 Assisted-by: claude-code:claude-opus-4-8
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces redundant version pinning in grails-bom by removing constraints that exactly match Spring Boot 4.1.0’s managed versions, allowing Grails to automatically inherit future patch/security updates when Spring Boot bumps those dependencies. It also updates the legacy grails-shell-cli BOM parsing logic so that versions managed only behind third-party imported BOMs (notably spring-boot-dependencies) are still surfaced to the CLI.
Changes:
- Removed
dependencies.gradlepins/constraints that duplicate Spring Boot 4.1.0’s managed versions (e.g., byte-buddy, commons-codec/lang3, jakarta servlet/validation, junit, mongodb, rxjava3). - Updated
GrailsDependencyVersionsto recurse into third-party imported BOMs with cycle/duplicate protection, per-POM property resolution, and “first-writer-wins” precedence. - Updated/expanded
grails-shell-clispecs to cover third-party BOM recursion, deduplication, and transitive BOM imports; removed no-longer-needed exclusions in the BOM Gradle build.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
grails-shell-cli/src/test/groovy/org/grails/cli/boot/GrailsDependencyVersionsSpec.groovy |
Updates tests to validate third-party BOM recursion, de-duplication, and transitive import handling. |
grails-shell-cli/src/main/groovy/org/grails/cli/boot/GrailsDependencyVersions.groovy |
Implements recursive resolution of imported BOMs (including third-party) with precedence and cycle protection. |
grails-bom/base/build.gradle |
Removes Jakarta excludes that were previously used for an older conflict and are now redundant. |
dependencies.gradle |
Removes redundant BOM pins so versions inherit from Spring Boot 4.1.0; adds rationale comment for intentionally retained graphql-java “tripwire”. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
We need to figure out if selenium 4.38.0 should still be behind Spring Boot. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 8.0.x #15730 +/- ##
==================================================
- Coverage 48.4322% 48.4301% -0.0021%
- Complexity 15265 15267 +2
==================================================
Files 1875 1875
Lines 85852 85866 +14
Branches 14972 14976 +4
==================================================
+ Hits 41580 41585 +5
- Misses 37863 37865 +2
- Partials 6409 6416 +7
🚀 New features to boost your workflow:
|
Contributor
|
Doe the spec have to hard code the spring bom version or can it resolve whatever the current one used is? 4.1.x? |
✅ All tests passed ✅🏷️ Commit: 6797b26 Learn more about TestLens at testlens.app. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Stop maintaining
grails-bomversion pins that duplicate versions already managed by thespring-boot-dependenciesBOM (Spring Boot 4.1.0). Where our pin equals Spring Boot's managed version, the pin is dead weight: it only blocks free patch/security updates whenever Spring Boot bumps the dependency. Those pins are removed so the BOM inherits the version from Spring Boot.Fixes #15674
Removed (each equal to Spring Boot 4.1.0's managed version)
byte-buddy(+byte-buddy-agent)commons-codeccommons-lang3jakarta.servlet-apijakarta.validation-apijunit/junit-jupiter(12junit-*entries +junit-bomplatform import)junit-bom:6.0.3mongodb(bson, driver-core, driver-sync, bson-record-codec)rxjava3Also removed the
jakarta.servlet/jakarta.validationexcludes fromgrails-bom/base/build.gradle- they only existed to win a since-resolved selenium-vs-Spring-Boot conflict, and both versions now match Spring Boot.Kept intentionally
graphql-java25.0 - retained as a deliberate drift tripwire (rationale comment added), becausegraphql-java-extended-scalarsis not managed by Spring Boot and must move in lockstep.groovy4.0.32 - intentional major divergence vs Spring Boot's 5.0.6 (Grails 8 baseline / Spock 2.4-groovy-4.0).selenium4.38.0 - left pinned. It is now behind Spring Boot's 4.43.0, so dropping it would be a version bump (Geb/functional impact), not a pure inheritance. Worth a separate follow-up decision.spring-retry2.0.11 - Spring Boot 4 dropped management.Legacy CLI fix (required so this doesn't regress)
grails-shell-clibuilds its own dependency management by parsing the publishedgrails-bomPOM, and previously skipped third-party imports such asspring-boot-dependencies(there was a test enforcing this). After this cleanup those versions only exist behind the Spring Boot import, soGrailsDependencyVersionsnow follows third-party imported BOMs too, with:spring-boot-dependenciesis imported by bothgrails-bomandgrails-base-bom),${...}property resolution (fixes a latent property-table clobbering bug during recursion).The spec test that asserted third-party BOMs are never resolved was inverted; precedence, cycle-protection and nested-import coverage were added.
Verification
grails-bomandgrails-base-bomPOMs and diffed against baseline: only the removed constraints disappear; thespring-boot-dependenciesimport remains, so consumers still get the versions.grails-data-mongodb-core,grails-codecs-core,grails-async-rxjava3,grails-converters,grails-web-core): every removed dependency resolves to Spring Boot's identical version../gradlew validateDependencyVersionspasses across all modules../gradlew :grails-shell-cli:testpasses (including the newGrailsDependencyVersionsSpeccoverage).