When a project depends on com.github.spotbugs:spotbugs-annotations, it will add the latest JUnit Jupiter BOM to the project classpath. This causes issues for consumers, as adding or bumping spotbugs-annotations will lead to a bump of JUnit, as the BOM ends up in the POM and Gradle module files.
This happens because the BOM is configured to be an implementation dependency (
|
implementation platform('org.junit:junit-bom:5.9.1') |
). It would likely be better to add the BOM exclusively to the
testImplementation configurations for all projects, as it really shouldn't be leaked to any production code consumers.
When a project depends on
com.github.spotbugs:spotbugs-annotations, it will add the latest JUnit Jupiter BOM to the project classpath. This causes issues for consumers, as adding or bumpingspotbugs-annotationswill lead to a bump of JUnit, as the BOM ends up in the POM and Gradle module files.This happens because the BOM is configured to be an
implementationdependency (spotbugs/build.gradle
Line 40 in a9ae3aa
testImplementationconfigurations for all projects, as it really shouldn't be leaked to any production code consumers.