Managing application dependencies
There’s a subtle thing we may have glossed over. It is best expressed in this simple question:
What version of Spring Framework works best with which version of Spring Data JPA and Spring Security?
Indeed, that is quite tricky. In fact, over the years, thousands of hours have probably been spent simply managing version dependencies.
Imagine that a new version of Spring Data JPA is released. It has an update to the Query by Example option you’ve been waiting for – the one where they finally handle domain objects that use Java’s Optional type in the getters. It’s been bugging you because anytime you had an Optional.EMPTY, it just blew up.
So, you’re eager to upgrade.
But you don’t know if you can. The last upgrade cost you a week of effort. It included digging through release reports for Spring Framework as well as Spring Data JPA.
Your system also uses Spring Integration and Spring MVC. If you bump up the version, will those other dependencies run into any issues?
With the miracle of autoconfiguration, all those slick starters and easy-to-use configuration properties can come off as a bit weak if you’re left dealing with this conundrum.
That’s why Spring Boot also comes loaded with an extensive list of 195 approved versions. If you pick a version of Spring Boot, the proper version of the Spring portfolio, along with some of the most popular third-party libraries, will already be selected.
There’s no need to deal with micromanaging dependency versions. Just bump up the version of Spring Boot and pick up all the improvements.
The Spring Boot team not only releases the software themselves. They also release a Maven bill of materials (BOM). This is a separate module known as Spring Boot Dependencies. Don’t panic! It’s baked into the modules that are picked up when you adopt Spring Boot.
And with that in place, you can easily pick up new features, bug patches, and any resolved security issues.
Important
It doesn’t matter if you’re using Maven or Gradle. Either build system can consume Spring Boot dependencies and apply their collection of managed dependencies.
We won’t go into how Spring Boot dependencies are configured in the build system. Just understand that you can choose the build system you prefer. How to apply this will be covered at the beginning of Chapter 2, Creating a Web Application with Spring Boot.
That last part is key, so I’ll repeat it: when Common Vulnerabilities and Exposures (CVE) security vulnerabilities are reported to the Spring team, no matter which component of the Spring portfolio is impacted, the Spring Boot team will make a security-based patch release.
This BOM is released alongside Spring Boot’s actual code. All we have to do is adjust the version of Spring Boot in our build file, and everything will follow.
To paraphrase Phil Webb, project lead for Spring Boot, if Spring Framework were a collection of ingredients, then Spring Boot would be a pre-baked cake.
