-
Notifications
You must be signed in to change notification settings - Fork 730
Description
This project relies on bouncycastle depencies provided by spring-security-rsa.
The last release of spring-security-rsa was already 2 years ago.
It relies on a dependencies to bcpkix-jdk15on, which itself is not maintained anymore:
Packaging Change (users of 1.70 or earlier): BC 1.71 changed the jdk15on jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or containers/applications that cannot cope with multi-release jars, you should now use the jdk15to18 jars.
[ https://www.bouncycastle.org/latest_releases.html ]
Since spring doesn't support < Java8 anymore, changing to jdk18on would be the logical decision.
I understand, that dropping the dependency to spring-security-rsa would be a breaking change.
But at least this project can maintain and update the dependencies of spring-security-rsa directly.
See https://github.com/dsyer/spring-security-rsa/blob/main/pom.xml for dependencies:
- The Two spring dependencies are circular (irrelevant) and inconsistent (different versions).
- Test dependencies can be ignored
- Dependency to unmaintained bcpkix-jdk15on remains as only relevant dependency
I suggest therefore to replace
spring-cloud-commons/spring-cloud-starter/pom.xml
Lines 32 to 35 in 8238abd
| <dependency> | |
| <groupId>org.springframework.security</groupId> | |
| <artifactId>spring-security-rsa</artifactId> | |
| </dependency> |
with
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-rsa</artifactId>
<exclusions>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<exclusion>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.73</version>
</dependency>