vaadin-spring-boot-starter requires inconsistent dependency versions

[archiecobbs]

I like to use the maven-enforcer-plugin to ensure reliable builds.

In particular, <requireUpperBoundDeps/> it good practice because it "requires that the version for each dependency resolved during a build, is equal to or higher than all transitive dependency declarations" (see description).

But this check fails due to several inconsistencies in Vaadin's dependencies.

For example:

• vaadin-spring-boot-starter:24.1.10 requires spring-boot-starter-web:3.1.2
• vaadin-spring-boot-starter:24.1.10 requires vaadin-spring:24.1.12
• vaadin-spring:24.1.12 requires spring-boot-starter-web:3.1.3

Note that there is a conflict created for spring-boot-starter-web - which is it? 3.1.2 or 3.1.3?

So Vaadin is in effect creating a small mess of indeterminacy in everyone's Maven projects.

This failure is ironic because part of the promise of Spring Boot is that it provides a wholly consistent set of dependencies for commonly used dependencies.

This problem should be easy to fix: simply include the Maven enforcer with <requireUpperBoundDeps/> in all Vaadin projects.

Or even better, include <dependencyConvergence/> which simply "requires that dependency version numbers converge".

Then Vaadin projects won't build with inconsistent dependencies.