Provide a BOM file to allow projects to easily import the right versions of optional dependencies

[evigeant]

Is your feature request related to a problem? If so, please give a short summary of the problem and how the feature would resolve it

Our maven project depends on mssql-jdbc and we support all authentication modes so we need the optional dependencies:

• azure-security-keyvault-keys
• azure-identity
• msal4j
• gson

These dependencies must be at specific versions for things to work as described here: https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver16#client-setup-requirements

We use dependabot to update dependencies, but we needed to exclude mssql-jdbc and the Azure dependencies because they would frequently break the build. Dependabot updates each dependency individually and these need to be updated in "lockstep".

The POM file for mssql-jdbc declares the right versions as optional dependencies, but this does not help as we need to declare them in our own POM with the version.

Describe the preferred solution

The project should publish a BOM file describing the compatible versions of libraries with the driver. Something like mssql-jdbc-bom, similar to spring-framework-bom.

This would allow us to import the BOM (specifying the desired version of the driver) in our dependency management section and then in our dependency section, not specify the version for the dependent libraries. When dependabot updates the version of the BOM, all version would update in lockstep and not break the build because of mismatched versions.

Describe alternatives you've considered

The current alternative is to exclude these from dependabot, update manually and check all version numbers.

Additional context

None

Reference Documentations/Specifications

https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Bill_of_Materials_.28BOM.29_POMs

[lilgreenbird]

hi @evigeant

Thank you for the suggestion we have added this as an enhancement request it will be considered along with other feature requests for future releases.

In the mean time, our driver does include a pom file which you can use to create your own bom pom file as you need. Something that looks like the following

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
                             http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.microsoft.sqlserver</groupId>
    <artifactId>mssql-jdbc-bom</artifactId>
    <version>12.10.0</version>
    <packaging>pom</packaging>

    <name>Microsoft JDBC Driver for SQL Server BOM</name>
    <description>Bill of Materials for Microsoft JDBC Driver for SQL Server</description>

    <dependencyManagement>
        <dependencies>
            <!-- Example Dependency -->
            <dependency>
                <groupId>com.microsoft.sqlserver</groupId>
                <artifactId>mssql-jdbc</artifactId>
                <version>12.10.0</version>
            </dependency>
            <!-- Add other dependencies as needed -->
        </dependencies>
    </dependencyManagement>
</project>

add the dependencies that you require and ensure the version matches what's in the pom file.

[evigeant]

We could create this BOM file ourselves, but then we would need to watch the published pom file and go update the version numbers for the driver and all dependencies manually everytime there is a change. This is similar to what we currently do updating all version numbers manually in the dependency management section of our main POM file whenever we want to update the driver.