Transitive platform dependencies may prevent exclusions from being applied #310
Description
We have a project with spring-boot-dependencies:2.4 and excluded transitive dependency (junit):
dependencies {
implementation('org.apache.xmlrpc:xmlrpc-client')
implementation('com.fasterxml.jackson.core:jackson-databind')
}
dependencyManagement {
imports{
mavenBom("org.springframework.boot:spring-boot-dependencies:2.4.4")
}
dependencies {
dependency('org.apache.xmlrpc:xmlrpc-client:3.1.3') {
exclude 'junit:junit'
}
}
}
When we tried to bump a version to spring-boot-dependencies:2.5 the junit appeared again.
It turned out that spring-boot-dependencies:2.5 brings jackson dependencies with version 2.12 instead of 2.11 which in turn started to publish Gradle metadata which brings Jackson platform (jackson-bom). The platform controls junit and this disables our exclusion.
The same behavior appears if we just use jackson dependency with version 2.12 or if we use jackson-bom platform.
After reading the Gradle documentation and some existing issues we found a solution: we also exclude junit from the platform:
dependencyManagement {
imports{
mavenBom("org.springframework.boot:spring-boot-dependencies:2.5.4")
}
dependencies {
dependency('org.apache.xmlrpc:xmlrpc-client:3.1.3') {
exclude 'junit:junit'
}
dependency('com.fasterxml.jackson:jackson-bom:2.12.4'){
exclude 'junit:junit'
}
}
}
The question is: Do we use the correct way to handle such logic? And could the documentation contain a warning about this case?