How to force or override the version of a dependency in Maven

Updated: 2023-12-15

Nowadays in our project we have scanner and code analyzers that trigger alerts for CVE security violations.

Often the issues are related to transitive dependencies that come with 3rd part libraries. If the 3rd part library is not quick to fix the issue (a.k.a. update the dependency) our project could be blocked inside our organisation.
It could happen that the 3rd party provider doesn't want or cannot fix update the faulty dependency.

Sometimes is worth to evaluate the possibility to override the transitive dependency ourselves to fix the security vulnerability, e.g.: an upgrade from Tomcat 1.10.14 to Tomcat 1.10.15 that simply fixes a couple of CVE without any API change.

If you want to 'force' a particular version of a dependency and override the 3rd party versions it's worth to read and understand how the dependency management of Maven works: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html

Update a dependency that doesn't come with Spring Boot

An easy method to force a specific artifact version is to use <dependency-management>:

This example shows hot to 'manually' fix (at your own risk) the CVE-2023-4586 linked to old Netty version.

You are maybe fighting with this security vulnerability using Microsoft SDK Azure libraries ;-)

<dependency-management> 
    <dependency> 
        <groupId>io.netty</groupId> 
        <artifactId>netty-handler</artifactId> 
        <version>4.1.100.Final</version> 
    </dependency> 
    <dependency> 
        <groupId>io.netty</groupId> 
        <artifactId>netty-codec-http2</artifactId> 
        <version>4.1.100.Final</version> 
    </dependency> 
</dependency-management>

Updating a dependency that comes with Spring Boot

In this case you are lucky. You need to simply tell Spring which version you want to use without updating the dependency-management part of your pom.xml.

In this example we upgrade the Logback dependency in Spring Boot to the version 1.4.14.

Dependencies in Spring

Spring Boot 3.2.0 delivers by default logback-classic:1.4.11 and logback-core:1.4.11, these 2 dependencies could trigger a Security Alert because of the CVE-2023-6378.

An upgrade to the version 1.4.14 solves the problem.

In your pom.xml

<parent> 
    <groupId>org.springframework.boot</groupId> 
    <artifactId>spring-boot-starter-parent</artifactId> 
    <version>3.2.0</version> 
</parent> 
 
... 
 
<properties> 
<!-- add this version, the dependency doesn't have to be added to the pom.xml --> 
  <logback.version>1.4.14</logback.version> 
</properties>

Now Spring will import the version of the library that you have defined.

There is a complete list of the dependencies and the properties that can be customized in the Spring documentation:

List of dependencies and properties: https://docs.spring.io/spring-boot/docs/current/reference/html/dependency-versions.html

Spring properties

WebApp built by Marco using SpringBoot 3.2.4 and Java 21, in a Server in Switzerland without 'Cloud'.