Skip to content

QueryDSL in Spring Boot Dependencies uses an older artifact #43550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
miller79 opened this issue Dec 17, 2024 · 2 comments
Closed

QueryDSL in Spring Boot Dependencies uses an older artifact #43550

miller79 opened this issue Dec 17, 2024 · 2 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@miller79
Copy link

miller79 commented Dec 17, 2024
edited
Loading

The Spring Boot Dependencies contains a reference to the following dependency:

      <dependency>
        <groupId>com.querydsl</groupId>
        <artifactId>querydsl-bom</artifactId>
        <version>${querydsl.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>

This dependency has now changed to this repository with the following Maven coordinate:

<dependency>
    <groupId>io.github.openfeign.querydsl</groupId>
    <artifactId>querydsl-bom</artifactId>
    <version>${querydsl.version}</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

I'm not sure what the best approach would be to changing the dependencies to the new artifact but wanted to make sure it was known as the old repository now have a CRITICAL CVE related to it (https://nvd.nist.gov/vuln/detail/CVE-2024-49203). I'm not sure what changed or if this will affect any potential autoconfigurations currently used, but I wanted to make sure the team is aware.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 17, 2024
@philwebb philwebb added the for: team-meeting An issue we'd like to discuss as a team to make progress label Dec 18, 2024
@philwebb
Copy link
Member

Thanks for suggestion, but we're going to need to follow Spring Data's lead here. There's a (currently closed) issue discussing things at spring-projects/spring-data-jpa#3335

@philwebb philwebb closed this as not planned Won't fix, can't repro, duplicate, stale Dec 18, 2024
@philwebb philwebb added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged for: team-meeting An issue we'd like to discuss as a team to make progress labels Dec 18, 2024
@philwebb
Copy link
Member

Declining for now, but we will reopen this issue if Spring Data switch.

darrachequesne added a commit to darrachequesne/spring-data-jpa-datatables that referenced this issue Jan 8, 2025
@darrachequesne
chore: properly use spring boot bom
da5e4da 
- junit-bom is already imported by the spring boot bom (5.10.2)
- hibernate-core is already managed by the spring boot bom (6.4.3.Final)
- querydsl-apt and querydsl-jpa are missing the jakarta classifier

Related: spring-projects/spring-boot#43550
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philwebb @miller79 @spring-projects-issues