Skip to content

Dependency convergence failed: nimbus-jose-jwt #37437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matsev opened this issue Sep 16, 2023 · 2 comments
Closed

Dependency convergence failed: nimbus-jose-jwt #37437

matsev opened this issue Sep 16, 2023 · 2 comments
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid

Comments

@matsev
Copy link
Contributor

matsev commented Sep 16, 2023
edited
Loading

Dependency convergence conflict for com.nimbusds:nimbus-jose-jwt using Spring Boot version 3.1.3

Step by step:

  1. Copy the following pom.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.3</version>
        <relativePath/>
    </parent>

    <groupId>com.example.test</groupId>
    <artifactId>dependency-convergence</artifactId>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <phase>validate</phase>
                        <configuration>
                            <rules>
                                <DependencyConvergence/>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>
  1. Execute mvn validate

Expected result
The dependencies should converge, i.e. every (transitive) dependency should have exactly one version specified.

Actual result
Two different versions of the nimbus-jose-jwt are imported transitively:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce) on project dependency-convergence: 
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
[ERROR] Failed while enforcing releasability.
[ERROR] 
[ERROR] Dependency convergence error for com.nimbusds:nimbus-jose-jwt:jar:9.24.4 paths to dependency are:
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile
[ERROR]         +-com.nimbusds:nimbus-jose-jwt:jar:9.24.4:compile
[ERROR] and
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-jose:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:nimbus-jose-jwt:jar:9.31:compile
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 16, 2023
@wilkinsona
Copy link
Member

Spring Boot stopped managing the versions of various Nimbus dependencies in 2.6.x in favor of using the versions from Spring Security. Ideally, its spring-security-oauth2-jose and spring-security-oauth2-jose modules could be used in combination without Boot's dependency management having to align the version of com.nimbusds:nimbus-jose-jwt that's used.

Please report this to Spring Security so that they can address the problem in a way that will benefit everyone, not just Spring Boot users.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Sep 17, 2023
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 17, 2023
@matsev matsev mentioned this issue Sep 17, 2023
Closed
@matsev
Copy link
Contributor Author

matsev commented Sep 17, 2023

Thanks, I have filed a new ticket at spring-projects/spring-security#13843

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matsev @wilkinsona @spring-projects-issues