为什么 Gradle 将我的库的传递依赖更改为更新版本?我如何让它停止?
细节
我正在为我的公司开发一个使用 Spring Security 的内部插件库。该插件显式声明了对最新版本 Spring Security 4 的依赖:
compile ('org.springframework.security:spring-security-core:4.2.13.RELEASE') {
force = true
}
当我在客户端项目中包含插件时,Gradle 正在将我从 spring security 4 升级到 5,这会破坏插件。
compile 'com.mycompany:my-security-plugin:0.3.0-SNAPSHOT'
这是客户端项目中dependencyInsight的输出:
> Task :dependencyInsight
org.springframework.security:spring-security-core:5.1.6.RELEASE (selected by rule)
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.component.category = library (not requested)
]
org.springframework.security:spring-security-core:5.1.6.RELEASE
+--- org.springframework.security:spring-security-config:5.1.6.RELEASE
| \--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4 (requested org.springframework.security:spring-security-config:4.2.13.RELEASE)
| \--- compileClasspath
\--- org.springframework.security:spring-security-web:5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4 (requested org.springframework.security:spring-security-web:4.2.13.RELEASE) (*)
org.springframework.security:spring-security-core:4.2.13.RELEASE -> 5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4
\--- compileClasspath
在我看来,在所有情况下,我都在我的配置中请求 spring security 4。我究竟做错了什么?
我正在使用 Gradle 5.1.1。
更新
作为一种解决方法,可以让客户端应用程序使用特定版本声明对 Spring Security 的直接依赖。如果可能的话,我会尽量避免这种情况。
更新 2
输出gradlew dependencyInsight --dependency org.springframework.security:spring-security-web
:
> Task :dependencyInsight
org.springframework.security:spring-security-web:5.1.6.RELEASE (selected by rule)
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.component.category = library (not requested)
]
org.springframework.security:spring-security-web:4.2.13.RELEASE -> 5.1.6.RELEASE
\--- com.mycompany:my-security-plugin:0.3.0-SNAPSHOT:20200122.162056-4
\--- compileClasspath
更新 3
buildEnvironment 通过 grails 包括以下内容:
+--- org.springframework.boot:spring-boot-gradle-plugin:2.1.9.RELEASE
| | +--- org.springframework.boot:spring-boot-loader-tools:2.1.9.RELEASE (*)
| | +--- io.spring.gradle:dependency-management-plugin:1.0.8.RELEASE