SEC-1686: Upgrade to Spring 3.0.6 for Spring Security 3.0.6 #1925

Closed
spring-issuemaster opened this Issue Feb 24, 2011 · 4 comments

1 participant

@spring-issuemaster

Jon Travis (Migrated from SEC-1686) said:

This dependency makes my maven dependency tree considerably larger, as my project then depends on Spring framework 3.0.3 and 3.0.5. The problem is within the spring-security-parent pom.

@spring-issuemaster

Luke Taylor said:

You shouldn't end up with two versions of Spring in the same application. If you're using Maven then its dependency mediation should choose the one you specify in preference over a transitive dependency.

http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies

@spring-issuemaster

Jon Travis said:

I don't end up with 2 instances of the framework, however my mvn dependency:list will show me both dependencies. This makes it hard to enumerate the true dependencies I have.

@spring-issuemaster

Luke Taylor said:

Not a bug. There's no guarantee that a minor version of Spring Security will automatically be using the "current" version of Spring. If we released 3.0.6 today with a dependency on Spring 3.0.5 then the same issue would exist if a user chooses to upgrade to Spring 3.0.6 when it is released a couple of weeks from now.

@spring-issuemaster

Luke Taylor said:

I've changed the title to reflect the fact that we will upgrade to the next Spring version for 3.0.6. This may affect some people's builds when upgrading Spring Security.

@spring-issuemaster spring-issuemaster added this to the 3.0.6 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment