Andy Wilkinson @ankinson Managing Dependencies for Spring Projects with Gradle Jenn Strater @codeJENNerator

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

No content

spring-boot-dependencies • Maven bill of materials (bom) • Manages dependency versions (and Maven plugin versions) • Both Spring and third-party dependencies • Over 150 version properties • Over 800 dependencies

… 5.1.6.RELEASE … 3.0.10.RELEASE … … org.thymeleaf thymeleaf ${thymeleaf.version} … spring-boot-dependencies

• Removes the need to think about versions when declaring dependencies • Provides a consistent version across a library’s modules • Avoids accidentally mixing acme-core 1.2 with acme-server 1.1 • Provides default versions that are tested and known to work together • Just an opinion • Override to meet a project’s needs Why is a bom a good thing?

No content

No content

Importing a bom plugins { id 'io.spring.dependency-management' version '1.0.7.RELEASE' } dependencyManagement { imports { mavenBom 'o.s.b:spring-boot-dependencies:2.1.4.RELEASE' } }

$ ./gradlew dependencyManagement > Task :dependencyManagement ------------------------------------------------------------ Root project ------------------------------------------------------------ global - Default dependency management for all configurations … org.thymeleaf:thymeleaf 3.0.11.RELEASE org.thymeleaf:thymeleaf-spring5 3.0.11.RELEASE org.thymeleaf.extras:thymeleaf-extras-java8time 3.0.4.RELEASE org.thymeleaf.extras:thymeleaf-extras-springsecurity5 3.0.4.RELEASE … Importing a bom

plugins { id 'org.springframework.boot' version '2.1.4.RELEASE' } apply plugin: 'io.spring.dependency-management' Spring Boot does this for you

dependencies { runtime 'org.thymeleaf:thymeleaf-spring5' } Overriding a version runtimeClasspath - Runtime classpath of source set 'main'. \--- org.thymeleaf:thymeleaf-spring5 -> 3.0.11.RELEASE +--- org.thymeleaf:thymeleaf:3.0.11.RELEASE | +--- org.attoparser:attoparser:2.0.5.RELEASE | +--- org.unbescape:unbescape:1.1.6.RELEASE | \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26 \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26

Overriding a version dependencies { runtime 'org.thymeleaf:thymeleaf-spring5:3.0.10.RELEASE' } runtimeClasspath - Runtime classpath of source set 'main'. \--- org.thymeleaf:thymeleaf-spring5:3.0.10.RELEASE +--- org.thymeleaf:thymeleaf:3.0.10.RELEASE -> 3.0.11.RELEASE | +--- org.attoparser:attoparser:2.0.5.RELEASE | +--- org.unbescape:unbescape:1.1.6.RELEASE | \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26 \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26

Overriding a version ext['thymeleaf.version'] = '3.0.10.RELEASE' runtimeClasspath - Runtime classpath of source set 'main'. \--- org.thymeleaf:thymeleaf-spring5 -> 3.0.10.RELEASE +--- org.thymeleaf:thymeleaf:3.0.10.RELEASE | +--- org.attoparser:attoparser:2.0.5.RELEASE | +--- org.unbescape:unbescape:1.1.6.RELEASE | \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26 \--- org.slf4j:slf4j-api:1.7.25 -> 1.7.26

Maven-style exclusions example exclusions 0.0.1 org.springframework spring-core 4.1.3.RELEASE commons-logging commons-logging

Maven-style exclusions example exclusions 0.0.1 org.springframework spring-beans dependencies { implementation 'example:exclusions:0.0.1' implementation 'org.springframework:spring-beans' }

Maven-style exclusions +- example:exclusions:jar:0.0.1:compile | \- org.springframework:spring-core:jar:4.1.3.RELEASE:compile \- org.springframework:spring-beans:jar:4.1.3.RELEASE:compile +--- com.example:exclusion-example:1.0 | \--- org.springframework:spring-core:4.1.3.RELEASE | \--- commons-logging:commons-logging:1.2 \--- org.springframework:spring-beans:4.1.3.RELEASE \--- org.springframework:spring-core:4.1.3.RELEASE (*)

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

Native BOM Support

Consuming Maven Dependencies https://docs.gradle.org/current/userguide/managing_transitive_dependencies.html#sec:bom_import dependencies { implementation enforcedPlatform('org.springframework.boot:spring-boot-dependencies:2.1.4.RELEASE') implementation ‘org.codehaus.groovy:groovy:2.5.7’ }

https://scans.gradle.com/s/dowsysqbnns44/dependencies?dependencies=groovy&expandAll

Forcing specific versions https://docs.gradle.org/current/userguide/managing_transitive_dependencies.html#sec:bom_import dependencies { implementation enforcedPlatform('org.springframework.boot:spring-boot-dependencies:2.1.4.RELEASE') implementation(‘org.codehaus.groovy:groovy:2.5.7’) { force = true } }

https://scans.gradle.com/s/25snam34zlriw/dependencies?dependencies=groovy&expandAll

Using Gradle’s Conflict Resolution https://docs.gradle.org/current/userguide/managing_transitive_dependencies.html#sec:bom_import dependencies { implementation platform('org.springframework.boot:spring-boot-dependencies:2.1.4.RELEASE') implementation ‘org.codehaus.groovy:groovy:2.5.7’ }

https://scans.gradle.com/s/bwcwoumww2dtw/dependencies?dependencies=groovy&expandAll

Overriding Groups of Dependencies https://docs.gradle.org/current/userguide/customizing_dependency_resolution_behavior.html#sec:dependency_resolve_rules dependencies { implementation platform('org.springframework.boot:spring-boot-dependencies:2.1.4.RELEASE') implementation "org.codehaus.groovy:groovy:2.5.7" } configurations.all { resolutionStrategy.eachDependency { DependencyResolveDetails details -> if (details.requested.group == 'org.codehaus.groovy') { details.useVersion '2.5.7' details.because 'upgrade to take advantage of new features' } } }

https://scans.gradle.com/s/4sgi5nsf2zp7g/dependencies?dependencies=groovy&expandAll

Performance

https://scans.gradle.com/s/lopzbvymh2vmo/dependencies?toggled=W1swXV0

https://scans.gradle.com/s/lopzbvymh2vmo/dependencies?toggled=W1swXV0

With Gradle Native BOM Support https://scans.gradle.com/s/s3w7tsxmtc6xw/dependencies?toggled=W1swXV0

Maven Publish Plugin • 5.2+ Resolved Dependencies vs Declared Dependencies

5.2+ Publishing Platforms with the Java Platform Plugin https://docs.gradle.org/current/userguide/java_platform_plugin.html#sec:java_platform_publishing

5.3+ Feature Variants Maven optional dependencies and more!

Feature Variants

Gradle Module Metadata Format

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

Outline • Introduction to the Spring Dependency Management Gradle Plugin • Gradle 5 and beyond • Migration Tips

Exclusions dependencies { implementation('log4j:log4j:1.2.15') { exclude group: 'javax.jms', module: 'jms' exclude group: 'com.sun.jdmk', module: 'jmxtools' exclude group: 'com.sun.jmx', module: 'jmxri' } } configurations { implementation { exclude group: 'javax.jms', module: 'jms' exclude group: 'com.sun.jdmk', module: 'jmxtools' exclude group: 'com.sun.jmx', module: 'jmxri' } }

Multi-scope platform enforcement https://github.com/micronaut-projects/micronaut-profiles/issues/124

IDE Support • Tooling hasn’t caught up to new 5.0 features • Issues are filed and should be fixed soon

Overriding Version Properties ● The Plugin’s behavior is unique. It goes beyond both Maven and Gradle features. ● For upgrading, overriding is possible in Gradle. ● For downgrading, use: ○ • Dependency metadata rule to fix what the dependency declares and is wrong ○ • Substitutions to replace a given version with another ○ • Force ○ • Exclude ● Look for new Gradle releases to fix the remaining differences.

Conclusion

Thanks! Andy Wilkinson @ankinson Jenn Strater @codeJENNerator gradle.org/docs