You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a local plugin-infrastructure that wants to replace BouncyCastle for JDK 1.5 with BouncyCastle for JDK 1.8 due to CVEs.
However the Spring dependency management plugin for some reason triggers a download of the new module (bcprov-jdk18on) with the old version (1.7.0) - and fails.
The error shows up for the tasks dependencies, dependencyInsight and everything compilation related, like assemble.
It would appear that the plugin hasn't noticed that the dependency has been substituted. It's ensuring that its version is 1.70 due to this behaviour that's described in the documentation. It can be disabled:
It may be possible for the plugin to detect a substitution and adapt accordingly so that the above workaround isn't necessary.
wilkinsona
changed the title
Crash on dependency substitution for unmanaged dependency
When a dependency has been substituted, its version may be managed based on its old group and artifact IDs
Apr 30, 2024
Understood, hence me describing it as a workaround above, but I believe it's your only option until we know if it's possible for the plugin to give some special treatment to substituted dependencies. It'll depend on the information that Gradle's APIs make available to the plugin.
wilkinsona
changed the title
When a dependency has been substituted, its version may be managed based on its old group and artifact IDs
When a dependency has been substituted by changing its target, its version is managed based on its original group and artifact IDs
May 2, 2024
We have a local plugin-infrastructure that wants to replace BouncyCastle for JDK 1.5 with BouncyCastle for JDK 1.8 due to CVEs.
However the Spring dependency management plugin for some reason triggers a download of the new module (bcprov-jdk18on) with the old version (1.7.0) - and fails.
The error shows up for the tasks
dependencies
,dependencyInsight
and everything compilation related, likeassemble
.build.gradle.kts
src/main/java/ForceCompile.java
Applying the substitution after the Spring plugin would work but should not make a difference and is not viable workaround for us.
build.gradle.kts - working version
The text was updated successfully, but these errors were encountered: