Standardize on Gradle Platforms or Spring Dependency Management Gradle Plugin for grails-bom application #14142
Description
Gradle Platforms: https://docs.gradle.org/current/userguide/platforms.html
implementation platform("org.grails:grails-bom:$grailsVersion")
vs
io.spring.dependency-management plugin: https://docs.spring.io/spring-boot/gradle-plugin/managing-dependencies.html
dependencyManagement {
imports {
mavenBom "org.grails:grails-bom:$grailsVersion")
}
}
Currently the grails-gradle-plugin automatically applies grails-bom via the Spring Dependency Management Gradle Plugin and also applies for spring-boot-dependencies, which is ALSO included in grails-bom with an import scope.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
We then apply grails-bom via Gradle Platforms in build.gradle dependencies {}, buildSrc/build.gradle dependencies{} and are in the process of adding it to build.gradle buildscript{} dependencies {} to make sure versions are applied and consistent. Since build.gradle buildscript{} dependencies {} does not appear to support adding grails-bom via a Gradle Plugin to control versions, if we go the Gradle Platforms route, we should just put the lines in the build.gradle file, instead of magically applying via the grails-Gradle plugin, so that it is consistent in all locations.
We need to standardize on one or the other.
When Customizing/Overridding Managed Versions, which should be rare, overriding versions directly in the dependencies{} block, IE. runtimeOnly "org.fusesource.jansi:jansi:1.18", is quicker/simpler/easier than the two examples provided by Spring. And it is doing it in the normal dependencies location instead of having to use another mechanism.
Andy Wilkinson, the io.spring.dependency-management plugin author: https://stackoverflow.com/a/76540836/26842213
The most notable difference in terms of performance is that Gradle's platform and enforcedPlatform support should be noticeably more efficient. Speaking as the main author of the dependency management plugin, unless you want to make use of the ability to override version properties, I would encourage you to use Gradle's platform and enforcedPlatform support.
Björn Kautler: https://discuss.gradle.org/t/migrate-maven-bom-to-gradle/46023/2
The spring dependency management plugin is an obsolete relict from times when Gradle did not have built-in BOM support. Even the maintainer of that plugin recommends not to use it anymore, but to use the built-in BOM support with platform(...). So you shouldn’t use that plugin.
To consume a BOM, just use something like implementation(platform("coordinates of the bom")), or actually a version catalog instead of the coordinates directly.