'Why do test scope dependencies pull compile scope dependencies in Maven?
Currently my project uses spring boot starter test as so:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>2.3.8.RELEASE</version>
<scope>test</scope>
</dependency>
However, despite the test scope, it pulls in spring-core (which is a vulnerable tpl in this version) as a compile scope transitive dependency and it appears inside my compiled binary.
I'm aware that I can fix this by pulling spring-core explicitly with test scope:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.2.12.RELEASE</version>
<scope>test</scope>
</dependency>
However this shouldn't be necessary. Why is a dependency that's only available in tests pulling dependencies into the compile scope?
Solution 1:[1]
I double checked after the comment from J Fabian Meyer. While spring core was appearing under spring-boot-starter-test in the dependency tree, it was being pulled into the compile scope by spring-boot-starter-web.
My guess is spring-boot-starter-test pulls a later version of spring-core which is why it appeared in the tree as so
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Bryan Tan |