Jon Travis (Migrated from SEC-1686) said:
This dependency makes my maven dependency tree considerably larger, as my project then depends on Spring framework 3.0.3 and 3.0.5. The problem is within the spring-security-parent pom.
Luke Taylor said:
You shouldn't end up with two versions of Spring in the same application. If you're using Maven then its dependency mediation should choose the one you specify in preference over a transitive dependency.
Jon Travis said:
I don't end up with 2 instances of the framework, however my mvn dependency:list will show me both dependencies. This makes it hard to enumerate the true dependencies I have.
Not a bug. There's no guarantee that a minor version of Spring Security will automatically be using the "current" version of Spring. If we released 3.0.6 today with a dependency on Spring 3.0.5 then the same issue would exist if a user chooses to upgrade to Spring 3.0.6 when it is released a couple of weeks from now.
I've changed the title to reflect the fact that we will upgrade to the next Spring version for 3.0.6. This may affect some people's builds when upgrading Spring Security.