Snake yaml 1.33 仍在下载,但已更改为 2.0

Snake yaml 1.33 still downloading, though changed to 2.0

提问人:tdog 提问时间:8/30/2023 最后编辑:halfertdog 更新时间:10/17/2023 访问量:345

问:

我遇到的问题是,尽管我将snake yaml版本升级到2.0,但在我的Spring Boot项目中,仍然下载了snake yaml版本1.33。

我删除了 .gradle/caches 文件夹并构建了我的新项目。

以下是一些信息:

build.gradle:

plugins {
    id 'java-platform'
    id 'org.springframework.boot' version "3.1.1" apply false
    id 'io.spring.dependency-management' version '1.1.0'
    id "org.openapi.generator" version "6.6.0" apply false
    id 'com.gorylenko.gradle-git-properties' version '2.4.1' apply(false)
    id 'com.yupzip.wsdl2java' version '3.0.0' apply false
}

version = currentVersion

javaPlatform {
    allowDependencies()
}

allprojects {
    repositories {
        mavenLocal()
        maven {
            credentials {
                username = "${artifactoryUser}"
                password = "${artifactoryPassword}"
            }
            url "${artifactoryUrl}/XYZ-maven"
        }
    }
}

subprojects {
    // java language and source defaults
    apply plugin: "java-library"
    apply plugin: 'org.springframework.boot'
    apply plugin: 'io.spring.dependency-management'

    sourceCompatibility = 17
    targetCompatibility = 17
    compileJava.options.encoding = 'UTF-8'

    // jar target names
    version = "${currentVersion}"
    archivesBaseName = rootProject.getName() + it.path.replace(":", "-")

    compileJava.dependsOn(processResources)

    dependencyManagement {
        imports {
            mavenBom "org.springframework.cloud:spring-cloud-dependencies:2022.0.3"
            mavenBom "org.apache.cxf:cxf-bom:4.0.1"
        }
    }

    bootJar {
        enabled = 'application' == it.name
    }

    dependencies {
        // enable referencing dependencies for the gradle scopes
        implementation platform(rootProject)
        testCompileOnly platform(rootProject)
        annotationProcessor platform(rootProject)
        testAnnotationProcessor platform(rootProject)

        compileOnly "org.mapstruct:mapstruct:1.5.5.Final"
        compileOnly "org.projectlombok:lombok"

        compileOnly "org.springframework.boot:spring-boot-configuration-processor"

        testCompileOnly "org.projectlombok:lombok"
        testAnnotationProcessor "org.projectlombok:lombok"
        implementation 'org.projectlombok:lombok-mapstruct-binding:0.2.0'

        annotationProcessor "org.projectlombok:lombok"
        annotationProcessor "org.mapstruct:mapstruct-processor:1.5.5.Final"
        annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
        annotationProcessor "org.hibernate.validator:hibernate-validator-annotation-processor"

        api 'de.XYZ-framework-spring-3:23.4.11'
        api "org.springframework.boot:spring-boot-starter"
        api "org.springframework.boot:spring-boot-starter-json"
        api 'org.springframework.boot:spring-boot-starter-web'
        api "org.springframework.boot:spring-boot-starter-aop"
        api 'org.springframework.boot:spring-boot-starter-validation'
        api 'org.springframework.boot:spring-boot-starter-actuator'
        api 'org.springframework.boot:spring-boot-actuator-autoconfigure'

        api "org.springframework.cloud:spring-cloud-starter-config"

        // apache commons
        api 'org.apache.commons:commons-text:1.10.0'
        api 'org.apache.commons:commons-lang3'
        api 'org.apache.commons:commons-collections4'

        api "com.google.code.findbugs:jsr305:3.0.2"
        api 'org.springdoc:springdoc-openapi-ui:1.6.14'
        api "com.fasterxml.jackson.core:jackson-databind"

        api 'com.github.vandeseer:easytable:0.8.5'

        //
        // TESTING
        //

        // spring test without junit4
        testImplementation('org.springframework.boot:spring-boot-starter-test')
    }

    configurations.configureEach {
        resolutionStrategy.dependencySubstitution {
            substitute module('org.yaml:snakeyaml') using module('org.yaml:snakeyaml:2.0') withoutClassifier() because('version 1.33 is vulnerable')
        }
    }

    clean {
        delete "out"
        delete "bin"
    }

    // ide support
    apply plugin: 'idea'

    test {
        useJUnitPlatform()
    }

}

这是依赖关系树的一部分:

enter image description here

删除 .gradle/caches 并重新生成后:

enter image description here

所以问题在于

org.springframework.boot:spring-boot-starter:3.1.1

io.swagger.core.v3:swagger-core:2.2.7

将 Snake YAML 版本 1.33 作为子依赖项。

我已经尝试过以某种方式排除它,例如:

dependencies {
// Exclude snakeyaml version 1.33 from swagger-core
api("io.swagger.core.v3:swagger-core:2.2.7") {
    exclude group: 'org.yaml', module: 'snakeyaml', version: '1.33'
}

// Exclude snakeyaml version 1.33 from spring-boot-starter
api("org.springframework.boot:spring-boot-starter:3.1.1") {
    exclude group: 'org.yaml', module: 'snakeyaml', version: '1.33'
}

但是,当删除 .gradle/caches 文件夹并重新构建它时,它仍然会下载 Snake 版本 1.33。

java spring-boot build.gradle 蛇类

评论

0赞 Rogue 8/30/2023
嗯,是的,依赖树实际上告诉你 1.3.3 是 3.1.1 的依赖snakeyamlsprint-boot-starter-validation
0赞 tdog 8/31/2023
是的,和 Swagger Code gen。问题是我如何防止它加载子依赖项
0赞 User51 8/31/2023
您可以强制 Gradle 使用特定版本。如果您搜索 gradle force 依赖版本,可以在其他各种 SO 问题和其他地方找到使用示例:stackoverflow.com/questions/28444016/...有时也可以通过导入传递并放置版本的末尾来避免。你只需要确保你的版本更改不会破坏包括它的东西。也就是说,1.33 -> 2.0 是 Snakeyaml 中的重大更改。确保您的代码不会中断!resolutionStrategy!

答: 暂无答案

上一个:更新 snakeyaml 中的 Node 值

下一个:NoMethodFoundException - Jackson yaml 解析器和 snakeYAML