如何在spring引导中升级spring框架版本
我正在使用spring 2.3.3.starter与maven中相应的spring启动器父程序一起使用。
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>由于使用了spring4shell CVE,我希望将spring框架升级到5.2.20 upgrade,而不是已经包含的5.2.8.RELEASE。
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>但这不起作用。我还查找了spring start-web-2.3.3.RELEASE.pom,它的spring依赖项硬编码为5.2.8.RELEASE。
除了将所有新版本作为依赖项添加到dependencyManagement部分之外,还有其他方法在spring中升级spring框架版本吗?Thx
完整的POM:
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>group</groupId>
<artifactId>app</artifactId>
<version>3.1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<flyway.version>4.1.2</flyway.version>
<groovy.version>2.4.20</groovy.version>
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>
<spring-cloud.version>Hoxton.SR7</spring-cloud.version>
<h2.version>1.4.196</h2.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
</dependency>
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
<version>${groovy.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml -->
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</dependency>
</dependencies>
<build>
<finalName>app</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<includes>
<include>**/version.json</include>
<include>**/**.properties</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<filtering>false</filtering>
<includes>
<include>**/*.*</include>
</includes>
<excludes>
<exclude>**/version.json</exclude>
<exclude>**/**.properties</exclude>
</excludes>
</resource>
</resources>
</build>
</project>编辑:这是mvn依赖关系的一部分:::
+- org.springframework.boot:spring-boot-starter-webflux:jar:2.3.3.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.3.3.RELEASE:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.2:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.3.3.RELEASE:compile
[INFO] | +- org.springframework:spring-web:jar:5.2.8.RELEASE:compile
[INFO] | +- org.springframework:spring-webflux:jar:5.2.8.RELEASE:compile
[INFO] | \- org.synchronoss.cloud:nio-multipart-parser:jar:1.1.0:compile
[INFO] | \- org.synchronoss.cloud:nio-stream-storage:jar:1.1.3:compile如果您查看包含有问题的SpringWeb5.2.8.RELEASE的spring-boot-starter-webflux-2.3.3.RELEASE.pom,您会发现spring版本被硬编码为5.2.8.RELEASE,所以在maven中设置spring.framework属性不会有任何效果。
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.2.8.RELEASE</version>
<scope>compile</scope>
</dependency>mvn帮助的输出:有效-pom:
<dependency>
<groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 126 -->
<artifactId>spring-web</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 127 -->
<version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 128 -->
</dependency>
<dependency>
<groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 131 -->
<artifactId>spring-webflux</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 132 -->
<version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 133 -->
</dependency>通过@Inthai2002:编辑后的解决方案:,我在中附加地导入了一个内部库
<dependencyManagement>
<dependencies>
<dependency>
<groupId>internal</groupId>
<artifactId>lib</artifactId>
<version>4.4.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>这个内部库直接导入了spring-boot依赖项pom,这导致忽略了Spring-Frawork.Version属性:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.3.3.RELEASE</version>
<scope>import</scope>
<type>pom</type>
</dependency>回答 3
Stack Overflow用户
发布于 2022-05-09 14:41:52
我刚刚在一个干净的spring-framework.version回购上尝试了你的pom (不管有没有m2属性)。没有该属性,spring框架为5.2.8,而该属性为5.2.20.你能试一试干净的回购吗?
版本X上的spring-framework-bom被硬编码到X版的所有spring包(参见https://repo1.maven.org/maven2/org/springframework/spring-framework-bom/5.2.8.RELEASE/spring-framework-bom-5.2.8.RELEASE.pom)
spring-framework.version属性声明并用于在spring-boot-dependencies中提取spring-framework-bom,并由其后代继承(参见https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.3.RELEASE/spring-boot-dependencies-2.3.3.RELEASE.pom)。
spring-boot-dependencies是spring-boot-starter-parent的父级(参见https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.3.3.RELEASE/spring-boot-starter-parent-2.3.3.RELEASE.pom)。
由于该属性是由后代继承的,因此可以在应用程序的pom中重写其值。通过使用5.2.20覆盖它,可以将spring框架-bom 5.2.8替换为5.2.20,这实际上是将大部分弹簧包拉到5.2.20。
Stack Overflow用户
发布于 2022-04-15 17:18:52
只需更改父节点,如下所示
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.6</version>
</parent>Stack Overflow用户
发布于 2022-04-19 21:50:44
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>只覆盖组ID org.springframework的版本,而不覆盖到org.springframework.boot。我没有看到spring引导的version属性,因此可能必须将该版本包含在依赖项中。
https://stackoverflow.com/questions/71737901
复制相似问题
腾讯云开发者
