Reputation: 3819
How can I exclude a shadowJar during a Maven build?
I'm using spring-cloud-cloudfoundry-connector-2.0.7.RELEASE.jar in a project, which is built with the com.fasterxml.jackson.core:jackson-databind:2.10.0 files as a shadow JAR (i.e. the files are included within the spring-cloud-cloudfoundry-connector JAR rather than just being a dependency.
The problem is, jackson-databind 2.10.0 now has known security problems but there is no later version of the Spring library with patched Jackson files. So, what I need to do is use the existing Spring library but newer Jackson libraries. If it were a normal dependency it would be easy enough, but obviously the files can't be removed from the Spring library.
So, it there any way of forcing Maven to ignore the embedded Jackson classes and only use the newer Jackson library (which is already included in my main project).
The Gradle build file (and the rest of the Spring project) can be found here: https://github.com/spring-cloud/spring-cloud-connectors/blob/master/spring-cloud-cloudfoundry-connector/build.gradle
Upvotes: -1
Views: 702
Answers (1)
Reputation: 35843
You can construct your own patched version of the JAR by manually removing the jackson-databind files. Then you can use a new version number like 2.0.7.RELEASE-patched.
Put this into your Nexus/Artifactory, or otherwise the local repository.
Upvotes: 1
Related Questions
- How to exclude lib-provided from spring boot
- spring-boot : Exclude dependencies on packaging
- How do I exclude a dependency from being pinned by Spring Boot's dependency management plugin?
- Exclude dependency from pom using Maven Publish Plugin?
- exclude an artifact in all dependencies
- how to exclude gradle dependencies
- Maven: how to exclude or set provided to dependencies that dragged by other dependencies
- How to exclude a transitive optional Maven system in Gradle?
- Exclude maven dependencies from springboot
- Spring Boot Maven Plugin – Exclude all dependencies