[2.x] feat: Support Maven BOM (Bill of Materials) #8675
Merged
eed3si9n merged 19 commits intosbt:developfrom Feb 2, 2026
Merged
[2.x] feat: Support Maven BOM (Bill of Materials) #8675eed3si9n merged 19 commits intosbt:developfrom
eed3si9n merged 19 commits intosbt:developfrom
Conversation
- Add csrBomDependencies setting to declare BOM artifacts to import - Implement BomSupport: resolve BOM POMs, extract dependencyManagement as force versions; fallback to POM XML parse when Coursier does not populate Project.dependencyManagement (coursier#1390) - Add PomParser for dependencyManagement section in BOM POMs - Wire BOM force versions into LMCoursier; dependencyOverrides override BOM versions (bomForceVersions ++ userForceVersions) - Add BomSupportSpec: integration test with junit-bom
- LMCoursier: use userForceVersions instead of allForceVersions - LMCoursier: remove extra force-versions arg from coursierConfiguration calls - IvyXml: add bomForcedDeps param to writeFiles and pass to rawContent
- LMCoursier: remove erroneous extra argument from coursierConfiguration in updateSbtClassifierConfigurationTask and scalaCompilerBridgeConfigurationTask (fixes E007 type mismatch / too many arguments in CI) - IvyXml: pass bomForcedDeps through writeFiles and set force="true" on dependency elements for BOM-resolved versions (publishLocal emulation)
…r BOM - build.sbt: On Windows, limit to one task at a time to avoid OverlappingFileLockException when scalafix and Coursier write to cache. - make-pom-type: Expect pom-only deps under dependencyManagement with scope import; check in dependencyManagement/dependencies for p1.
Contributor
Author
eed3si9n
reviewed
Feb 2, 2026
eed3si9n
reviewed
Feb 2, 2026
This comment was marked as resolved.
This comment was marked as resolved.
…r fills from BOM - lm-coursier: for deps with version '*' or '' and BOMs present, pass empty version to Coursier so Resolution.processedRootDependencies fills from BOM - Add bom-publish-local scripted test (a with BOM, b depends on a); comment notes env caveat if b/update fails with jackson-core:*
bitloi
force-pushed
the
feature/sbt-4531-bom
branch
from
6d16c92 to
686eb0b
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Changed from 2.21.0 to 2.17.0 for more reliable CI testing.
Member
so it looks like at least in the case of |
Contributor
Author
|
Thanks for the pointer. I’ve added the BOM to subproject |
eed3si9n
changed the title
Contributor
|
Could you fix this compiler warning in the newly introduced test. |
eed3si9n
reviewed
Feb 2, 2026
sbt-app/src/sbt-test/dependency-management/bom-publish-local/build.sbt
Outdated
Show resolved
Hide resolved
eed3si9n
reviewed
Feb 2, 2026
sbt-app/src/sbt-test/dependency-management/bom-publish-local/build.sbt
Outdated
Show resolved
Hide resolved
eed3si9n
approved these changes
Feb 2, 2026
Member
eed3si9n
left a comment
eed3si9n
left a comment
There was a problem hiding this comment.
Thanks for the contribution!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds BOM support along the lines of eed3si9n’s comment on #4531:
For the consumption, we reuse the existing
.pomOnly()construct:Interestingly https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom/2.21.0 even suggests that sbt users use that. Next we'd need a way to specify a versionless dependency. For now, we can use
"*"for example:Expectation
updatecontains jackson-core 2.21.0What’s in this PR
Consuming BOMs
.pomOnly()and versionless deps with"*":libraryDependencies += ("com.fasterxml.jackson" % "jackson-bom" % "2.21.0").pomOnly()libraryDependencies += "com.fasterxml.jackson.core" % "jackson-core" % "*"Resolve.addBom(); version"*"is resolved from the BOM.makePom
<dependencyManagement><dependencies>...</dependencies></dependencyManagement>with<type>pom</type>and<scope>import</scope>."*"are emitted without a<version>element so Maven uses the BOM-managed version.Implementation
Resolve.withBoms(); the rest stay as normal dependencies (including"*").<dependencyManagement>;"*"version is omitted in the dependency element. Scala 3: explicitNodeSeq/Elemtypes inmakeDependencyElemto fix cyclic inference and return type.csrBomDependencies, BomSupport, PomParser) in favor of Coursier’s nativeaddBomsupport.Ivy / publishLocal emulation
publishLocal), BOM-resolved versions (deps that had"*") are written into the publishedivy.xmlas forced dependencies (force="true"), so consumers that depend on this module get those versions.Scripted test
dependency-management/bom: BOM (jackson-bom 2.21.0.pomOnly()) +jackson-core"*"; asserts resolved version is 2.21.0.How to verify
From the sbt build root:
./sbt "scripted dependency-management/bom"Fixes #4531