Gradle is selecting wrong dependency version

Question

I am seeing some weirdness in my Gradle build. I have a Spring Boot app (which uses Gradle for its build) and am trying to pull in both the Hibernate Validator as well as Hibernate Core. Here's the dependencies declaration in my build.gradle file:

dependencies {
    compile('org.springframework.boot:spring-boot-starter-web') {
        exclude module: 'spring-boot-starter-tomcat'
    }

    compile(
        'org.codehaus.groovy:groovy-all:2.4.12'
        ,'com.google.inject:guice:4.1.0'
        ,'ch.qos.logback:logback-classic:1.2.3'
        ,'org.slf4j:jul-to-slf4j:1.7.25'
        ,'org.apache.logging.log4j:log4j-to-slf4j:2.9.1'
        ,'commons-cli:commons-cli:1.4'
        ,'org.apache.commons:commons-lang3:3.7'
        ,'io.dropwizard.metrics:metrics-core:3.2.5'
        ,'io.dropwizard.metrics:metrics-json:3.2.5'
        ,'org.springframework.security:spring-security-jwt:1.0.9.RELEASE'
        ,'org.springframework.security.oauth:spring-security-oauth2:2.2.1.RELEASE'
        ,'io.jsonwebtoken:jjwt:0.9.0'
        ,'org.hibernate:hibernate-validator:6.0.7.Final'
        ,'mysql:mysql-connector-java:6.0.6'
        ,'org.hibernate:hibernate-core:5.2.12.Final'

        ,'com.h2database:h2:1.4.196'

        ,'org.springframework.boot:spring-boot-starter-jetty'
        ,'org.springframework.boot:spring-boot-starter-actuator'
        ,'org.springframework.boot:spring-boot-starter-security'
        ,'org.springframework.boot:spring-boot-starter-data-rest'
        ,'org.springframework.boot:spring-boot-starter-data-jpa'
    )

    dev('org.springframework.boot:spring-boot-devtools')

    testCompile(
        'org.spockframework:spock-core:1.0-groovy-2.4'
        ,'junit:junit:4.12'
    )
}

When I run ./gradlew dependencies I get a huge output, but from the compile dependencies tree I see the following:

|    +--- org.springframework.boot:spring-boot-starter:1.5.8.RELEASE
|    +--- org.hibernate:hibernate-validator:5.3.5.Final -> 6.0.7.Final
|    |    \--- org.hibernate.validator:hibernate-validator:6.0.7.Final
|    |         +--- javax.validation:validation-api:2.0.1.Final -> 1.1.0.Final
|    |         +--- org.jboss.logging:jboss-logging:3.3.0.Final -> 3.3.1.Final
|    |         \--- com.fasterxml:classmate:1.3.1 -> 1.3.4

So to me it looks like spring-boot-starter:1.5.8.RELEASE is pulling in validation-api:2.0.1.Final but for some reason Gradle is selecting validation-api:1.1.0.Final for me...am I reading that correctly? In my IDE compile classpath I only see validation-api:1.1.0.Final, not 2.0.1.Final.

Why is Gradle selecting 1.1.0.Final instead of 2.0.1.Final? I ask because Hibernate Validator 5.x is not compatible with Validation API 1.x and when my app runs I get all sorts of Hibernate Validation-related errors.

Update

Some more output:

gradle -q dependencyInsight --configuration compile --dependency validation-api
javax.validation:validation-api:1.1.0.Final (selected by rule)

javax.validation:validation-api:2.0.1.Final -> 1.1.0.Final
\--- org.hibernate.validator:hibernate-validator:6.0.7.Final
     \--- org.hibernate:hibernate-validator:6.0.7.Final
          +--- compile
          \--- org.springframework.boot:spring-boot-starter-web:1.5.8.RELEASE
               +--- compile
               \--- org.springframework.boot:spring-boot-starter-data-rest:1.5.8.RELEASE
                    \--- compile

The full compile configuration output can be found here.

Post the complete tree of the compile configuration. Also consider using dependencyInsight (http://mrhaki.blogspot.fr/2014/08/gradle-goodness-getting-more-dependency.html) and posting the output. — JB Nizet, Jan 02 '18 at 17:41
Thanks @JBNizet (+1) - please see my pastebin link added to the top of this question. I also added the output of `dependencyInsigh` for the `validation-api` library if that helps you! Thanks again! — smeeb, Jan 02 '18 at 17:50

score 2 · Accepted Answer · answered Jan 02 '18 at 18:19

2

The version is enforced by Spring Boot.

See the POM for the Spring Boot dependencies: http://search.maven.org/remotecontent?filepath=org/springframework/boot/spring-boot-dependencies/1.5.8.RELEASE/spring-boot-dependencies-1.5.8.RELEASE.pom and look for "javax-validation.version".

See https://docs.spring.io/platform/docs/Brussels-SR4/reference/html/getting-started-overriding-versions.html for more information on how to override Spring Boot versions.

I would recommend overriding directly "javax-validation.version" and "hibernate-validator.version" instead of redefining the dependencies.

answered Jan 02 '18 at 18:19

Guillaume Smet

9,921
22
29

Thanks @Guaillaume (+1) I've never done this before (directly overriding javax.validation.version + hibernate-validator.version). Is this something I do in build.gradle or in application.yml? – smeeb Jan 02 '18 at 18:21
1

See the link I gave you, you have a paragraph about how to override the versions with Gradle: https://docs.spring.io/platform/docs/Brussels-SR4/reference/html/getting-started-overriding-versions.html#getting-started-overriding-versions-gradle . – Guillaume Smet Jan 02 '18 at 18:22
Thanks I see it, so this `ext['foo.version'] = '1.1.0.RELEASE'` declaration, do I put that inside my `dependencies` declaration in Gradle, or do I put it outside that declaration (maybe above it, etc.)? – smeeb Jan 02 '18 at 18:24
I'm more of a Maven guy, but I would say at the root of the build.gradle above the dependencies declaration (ah and use javax.validation.version, not foo.version ;)). – Guillaume Smet Jan 02 '18 at 18:27
The override for gradle as described in the docs didn't work for me. This however did: https://github.com/spring-projects/spring-boot/issues/6507 – Dr4gon Apr 11 '18 at 11:13

score 1 · Answer 2 · answered Jan 02 '18 at 17:42

1

There is some conflict with another dependency that is pulling the older 1.1.0 in the compile classpath.

This means that some other library which has higher priority in gradle build order is dependent the older 1.1.0 version.

You can see here more info on how to specify the gradle build order.

answered Jan 02 '18 at 17:42

Tal Avissar

10,088
6
45
70

Thanks @Tal (+1) - please see my pastebin link added to the top of this question. I also added the output of dependencyInsigh for the validation-api library if that helps you! Thanks again! – smeeb Jan 02 '18 at 17:51
Also @Tal according to the output of all these dependency trees, `org.hibernate.validator:hibernate-validator:6.0.7.Final` is the only thing pulling in `validation-api`... – smeeb Jan 02 '18 at 18:07
Pay attention that hibernate version 5.x.x . pulls down javax.validation:validation-api:1.1.0.Final and I see you have also org.hibernate:hibernate-core:5.2.12.Final – Tal Avissar Jan 02 '18 at 18:14
Thanks @Tal but I'm not understanding you... it *sounds* like you're saying that `org.hibernate:hibernate-core:5.2.12.Final` pulls down `validation-api:1.1.0.Final` but I don't see evidence of that in my dependency tree. Can you elaboriate a bit more? – smeeb Jan 02 '18 at 18:19
Yo have--- org.hibernate:hibernate-validator:5.3.5.Final -> 6.0.7.Final | | \--- org.hibernate.validator:hibernate-validator:6.0.7.Final – Tal Avissar Jan 02 '18 at 18:23

score 0 · Answer 3 · answered Feb 23 '21 at 20:35

I met similar problems, then I found it caused by using the Dependency management in gradle:

plugins {
     ...
    id 'io.spring.dependency-management' version '1.0.10.RELEASE'
}

dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:Hoxton.SR8"
    }
}

this dependency management impact the transitive dependency version solution. after comment it out. all the version is correct.

Gradle is selecting wrong dependency version

Update

3 Answers3