No-longer working dependency to net.minidev.json-smart (via com.nimbusds.oauth2-oidc-sdk)

[bjoernwuest]

Describe the bug
Since today maven complains that the dependency to net.minidev.json-smart [1.3.3,2.4.10) cannot be resolved. The dependency is introduced by com.nimbusds.oauth2-odic-sdk [9.43.4]

To Reproduce

1. Create maven project
2. Add spring-boot-starter-oauth2-client dependency
3. Run "maven dependency:tree"

Expected behavior
The dependency shall be resolvable.
Did not contact nimbusds since they are at v11 already, referring to json-smart 2.5.1 (which can be pulled from central maven repo).

[ck443]

There are new versions of oauth2-oidc-sdk available - e.g.: 9.43.5 instead of 9.43.4.
This version should work.

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/494/json-smart-and-cve-2024-57699-configure

[bsautel]

Same problem here, the build is broken because of this issue.

There are multiple versions of net.minidev:json-smart satisfying these version constraints [1.3.3,2.4.10] in the Maven central repository. But the metadata file of the artifact that lists the available version only contains the latest one. The other versions were probably removed during when releasing the latest versions a few hours ago. Don't know whether this is intentional or not but this is the cause of this issue.

An issue was already reported to the json-smart project: netplex/json-smart-v2#240

[bjoernwuest]

There are multiple versions of net.minidev:json-smart satisfying these version constraints [1.3.3,2.4.10] in the Maven central repository. But the metadata file of the artifact that lists the available version only contains the latest one. The other versions were probably removed during when releasing the latest versions a few hours ago. Don't know whether this is intentional or not but this is the cause of this issue.

An issue was already reported to the json-smart project: netplex/json-smart-v2#240

Which is unfortunate and I think has broken many things around the globe today, but if it fixes a serious issue, is fine in my opinion. Actually, I think I like this approach to trigger people to react :)

[fctaddia]

If updating to the latest version is an option for you, you can fix your Gradle project in the build.gradle like this:
configurations.configureEach { resolutionStrategy { force("net.minidev:json-smart:2.5.2") } }

[bjoernwuest]

As discussed in the json-smart issue, this fixes the problem until the problem in their metadata is resolved:

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-client</artifactId>
      <version>${version.spring-boot-starter-oauth2-client}</version>
      <exclusions>
        <exclusion>
          <groupId>net.minidev</groupId>
          <artifactId>json-smart</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>net.minidev</groupId>
      <artifactId>json-smart</artifactId>
      <version>2.5.2</version>
    </dependency>

[franticticktick]

To be able to work on tasks, change the version of com-nimbusds-oauth2-oidc-sdk in the libs.versions.toml file to 11.22.1. Locally this will be enough.

[jgrandja]

com.nimbusds:oauth2-oidc-sdk has been updated to 9.43.5 via gh-16582 - the build is now passing.

Closing this as a duplicate.