Overriding netty.version does not work properly #2399
Description
Expected Behavior
Setting <netty.version> in maven properties should correctly override dependency management for all netty dependencies.
I think if the parent/platform module should import io.netty:netty-bom in the dependency management instead of individual netty dependencies to ensure a consistent version.
This is also the workaround I'm using, adding this section to my pom:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
<version>${netty.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>Reasons for doing this: Vulnerability management, bumping netty to a version with fewer/no issues without needing to wait for new Micronaut releases.
Actual Behaviour
Mix of multiple netty versions:
output of mvn dependency:tree -Dverbose -Dinclude=io.netty below:
There's a clear mix of netty 4.2.6.Final and 4.2.7.Final.
[INFO] +- io.micronaut:micronaut-http-server-netty:jar:4.10.8:compile
[INFO] | +- io.micronaut:micronaut-http-netty:jar:4.10.8:compile (version managed from 4.10.8)
[INFO] | | +- io.micronaut:micronaut-buffer-netty:jar:4.10.8:compile (version managed from 4.10.8)
[INFO] | | | \- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-codec-http:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- io.netty:netty-codec-http2:jar:4.2.6.Final:compile (version managed from 4.2.7.Final)
[INFO] | | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | +- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | +- (io.netty:netty-codec-base:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | +- (io.netty:netty-handler:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | \- (io.netty:netty-codec-http:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | \- io.netty:netty-handler:jar:4.2.6.Final:compile (version managed from 4.2.7.Final)
[INFO] | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | +- io.netty:netty-resolver:jar:4.2.7.Final:compile (version managed from 4.2.6.Final)
[INFO] | | | \- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.2.6.Final:compile (version managed from 4.2.6.Final)
[INFO] | | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | | \- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | | \- (io.netty:netty-codec-base:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | \- io.netty:netty-codec-http:jar:4.2.6.Final:compile (version managed from 4.2.7.Final)
[INFO] | +- io.netty:netty-common:jar:4.2.6.Final:compile (version managed from 4.2.6.Final)
[INFO] | +- io.netty:netty-buffer:jar:4.2.6.Final:compile (version managed from 4.2.6.Final)
[INFO] | | \- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] | +- io.netty:netty-transport:jar:4.2.7.Final:compile (version managed from 4.2.6.Final)
[INFO] | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | \- (io.netty:netty-resolver:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | +- io.netty:netty-codec-base:jar:4.2.7.Final:compile (version managed from 4.2.6.Final)
[INFO] | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | \- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | +- io.netty:netty-codec-compression:jar:4.2.7.Final:compile (version managed from 4.2.6.Final)
[INFO] | | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | +- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | | \- (io.netty:netty-codec-base:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | \- (io.netty:netty-handler:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] \- io.micronaut:micronaut-http-client:jar:4.10.8:compile
[INFO] \- io.netty:netty-handler-proxy:jar:4.2.6.Final:compile (version managed from 4.2.7.Final)
[INFO] +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] +- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] +- (io.netty:netty-codec-base:jar:4.2.7.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] +- io.netty:netty-codec-socks:jar:4.2.7.Final:compile (version managed from 4.2.6.Final)
[INFO] | +- (io.netty:netty-common:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | +- (io.netty:netty-buffer:jar:4.2.6.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | +- (io.netty:netty-transport:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] | \- (io.netty:netty-codec-base:jar:4.2.7.Final:compile - version managed from 4.2.7.Final; omitted for duplicate)
[INFO] +- (io.netty:netty-codec-http:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
[INFO] \- (io.netty:netty-handler:jar:4.2.6.Final:compile - version managed from 4.2.6.Final; omitted for duplicate)
Steps To Reproduce
- generate a netty based application in maven (latest at the time is Micronaut 4.10.2)
- override the netty version:
<netty.version>4.2.6.Final<netty.version>(Micronaut 4.10.2 comes with 4.2.7.Final) - run
mvn dependency:tree -Dverbose -Dinclude=io.netty
Environment Information
- OS: Windows
- JDK: 25
Example Application
No response
Version
4.10.2