Exclude commons-logging from managed dependencies

[sdeleuze]

Related to spring-projects/spring-framework#31322, it looks like org.apache.httpcomponents:httpclient has a transitive dependency on commons-logging:commons-logging which is a dependency that creates conflicts with Spring Framework own implementation, and even worse that breaks the native compilation (see for details on spring-projects/spring-framework#30575).

Discussing with @snicoll about that, we were wondering if it could be possible for Spring Boot dependency management to exclude commons-logging:commons-logging transitive dependency from the managed dependencies like org.apache.httpcomponents:httpclient (and potentially other ones).

[snicoll]

I also wonder if commons-logging could be a "banned dependency". I know the build has such capability so that we make sure only spring-jcl remains on the classpath for an app that uses our dependency management.

[wilkinsona]

Boot's own build bans commons-logging:commons-logging. We could do that for apps in Boot's Gradle plugin or we could go one better and automatically configure a dependency substitution so that org.springframework:spring-jcl is used in place of commons-logging:commons-logging.

I'm not sure there's much we can do for Maven. Could we add some configuration for the Enforcer plugin to spring-boot-starter-parent perhaps?

[philwebb]

I'm not sure we should try to configure the enforcer plugin but perhaps we can use our own plugin to check there isn't a commons-logging dependency.

[snicoll]

I am not a big fan of having the enforcer plugin configured in the parent either. The route of using our own plugin sounds really interesting!