Due to a CVE I need to update the version of netty in one of my builds.
In my POM I believed I could override the property like this:
<properties>
<netty.version>4.1.118.Final</netty.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.4.2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
but looking at the dependency tree using mvn -U -Dverbose dependency:tree I'm seeing the version is still 117. I assume this is because some other dependency management section in my dependencies is defining the version as 4.1.117.FINAL
Is there a way to ask maven WHAT POM is version managing this?
The tree reports:
+- (ioty:netty-common:jar:4.1.117.Final:compile - version managed from 4.1.117.Final; omitted for duplicate)
mvn version:
$ mvn --version
Apache Maven 3.9.8 (36645f6c9b5079805ea5009217e36f2cffd34256)
Maven home: ~/.sdkman/candidates/maven/current
Java version: 21.0.3, vendor: Oracle Corporation, runtime: ~/.sdkman/candidates/java/21.0.3-graal
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "6.8.0-53-generic", arch: "amd64", family: "unix"
Due to a CVE I need to update the version of netty in one of my builds.
In my POM I believed I could override the property like this:
<properties>
<netty.version>4.1.118.Final</netty.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.4.2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
but looking at the dependency tree using mvn -U -Dverbose dependency:tree I'm seeing the version is still 117. I assume this is because some other dependency management section in my dependencies is defining the version as 4.1.117.FINAL
Is there a way to ask maven WHAT POM is version managing this?
The tree reports:
+- (ioty:netty-common:jar:4.1.117.Final:compile - version managed from 4.1.117.Final; omitted for duplicate)
mvn version:
$ mvn --version
Apache Maven 3.9.8 (36645f6c9b5079805ea5009217e36f2cffd34256)
Maven home: ~/.sdkman/candidates/maven/current
Java version: 21.0.3, vendor: Oracle Corporation, runtime: ~/.sdkman/candidates/java/21.0.3-graal
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "6.8.0-53-generic", arch: "amd64", family: "unix"
- 1 overriding using property only works if you use spring-boot starter parent. In your case, you need to put netty dependency before the spring-boot-dependencies dependency. <dependency> <groupId>ioty</groupId> <artifactId>netty-all</artifactId> <version>4.1.118.Final</version> </dependency> – Hendra Commented Feb 17 at 22:33
- Thanks for the reply. This approach does not work. I assume becuase the version of netty is being managed somewhere from a dependencyManagement section in a dependent BOM. Adding the above artefact into both depenancyManagement achieves the same as the tree above, Adding to dependencies gives: +- ioty:netty-all:jar:4.1.118.Final:compile [INFO] | +- ioty:netty-buffer:jar:4.1.117.Final:compile (version managed from 4.1.118.Final; scope not updated to compile) – theINtoy Commented Feb 18 at 8:33
- mvn help:effective-pom may give more insight – Hendra Commented 2 days ago
1 Answer
Reset to default 2If the same artifact is defined with different versions in 2 imported BOMs, then the version in the BOM file that was declared first will win.
You need to add the netty dependency like this.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>ioty</groupId>
<artifactId>netty-bom</artifactId>
<version>4.1.118.Final</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>3.4.2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
BOMs are imported into the section and only provide version numbers and scopes for dependencies that are used elsewhere. They are not “real” dependencies; they do not appear in the dependency tree as distinct nodes. This means Maven doesn’t show “this version was set by spring-boot-dependencies” explicitly. Tools like dependency:tree or help:effective-pom show the end result of dependency management but do not annotate the source BOM once the version is resolved.