Reputation: 3812
How to remove commons-beanutils-core from a project
Background
commons-beanutils-core version 1.8.0 has some security issues that I am trying to avoid.
So, I am using commons-beanutils 1.9.4
Problem
I cannot seem to prevent other libraries from importing commons-beanutils-core version 1.8.0. Nowhere in my pom file do I include it. I am assuming some other dependency implicitly includes it. And, since commons-beanutils-core no longer is supported and they have moved to just using commons-beanutils for all newer versions, when I explicitly write:
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
</dependency>
It does not remove the implicit references to commons-beanutils-core.
Question
How do I make the other packages not download commons-beanutils-core version 1.8.0?
Notes:
There have been other packages that were downloaded as dependencies that I did not explicitly include in my pom.xml. A scan show that some of these packages were security risks. So, my solution was to just explicitly include a higher version of the package that was previously included implicitly. And that removed the old version of the package. But that solution does not work here since commons-beanutils-core is no longer used in the newest version.
Update 1
I have learned that including the following code will make the pom.xml think that 1.8.0 will be provided, and in a sense it will since I will include 1.9.4. But I am unsure if the code will use the 1.9.4 if it thinks it should look for 1.8.0. This code enables me to remove 1.8.0 but I don't know if my deception here will cause problems down the line.
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils-core</artifactId>
<version>1.8.0</version>
<scope>provided</scope>
</dependency>
Upvotes: 2
Views: 5221
Answers (1)
Reputation: 8664
Using provided scope can have side effects on runtime. Provided scope dependencies are used in compilation but not packaged so if the commons-beanutils-core has a method which is not present in commons-beanutils you will get NoSuchMethodException.
Better solution will be use mvn dependency:tree to find which dependencies had dependency on commons-beanutils-core and
Either update the dependency to a version which uses
1.9.4version ofcommons-beanutils.Or use
exclusionto excludecommons-beanutils-corefrom the dependencies usingcommons-beanutils-coreas a dependency.
If you can use method 1 it's better if you cannot find a dependency which uses the latest version, then use method 2.
Upvotes: 3
Related Questions
- Apache Commons Configuration: ClassNotFoundException: org.apache.commons.beanutils.DynaBean
- Maven Dependency changes commons-io version
- How to remove unwanted jars included in the lib using maven
- duplicate classes in commons-collections and commons-beanutils
- How to deduplicate beanutils dependencies with commons-beanutils?
- How to remove all the jars from a spring boot application using maven
- How to get rid of servletcontainer-specific library jsp-api.jar?
- java.lang.NoClassDefFoundError: com.sun.org.apache.commons.beanutils.PropertyUtils
- org.apache.commons.beanutils.BeanMap failing with IllegalAccessException
- Problem with BeanUtils from Apache