From db140d39e9f42cf56c647f4f3921da23f2ab2a1d Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Fri, 10 Apr 2026 12:27:02 +0200 Subject: [PATCH 1/6] feat: add dapr-sdk-bom module for dependency version management (#1720) Standalone BOM (no parent inheritance) so consumers only get Dapr SDK artifact versions and security-critical transitive dependency overrides without inheriting the parent's 1500+ internal managed dependencies. Includes all published io.dapr and io.dapr.spring modules, plus security overrides for netty-bom (CVE-2026-33870/33871), jackson-bom, commons-compress, and commons-codec. Closes #1720 Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- pom.xml | 1 + sdk-bom/pom.xml | 182 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 sdk-bom/pom.xml diff --git a/pom.xml b/pom.xml index f4484aa3fc..262d0ffdda 100644 --- a/pom.xml +++ b/pom.xml @@ -727,6 +727,7 @@ + sdk-bom sdk-autogen sdk sdk-actors diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml new file mode 100644 index 0000000000..b801264386 --- /dev/null +++ b/sdk-bom/pom.xml @@ -0,0 +1,182 @@ + + 4.0.0 + + io.dapr + dapr-sdk-bom + 1.18.0-SNAPSHOT + pom + dapr-sdk-bom + Dapr SDK Bill of Materials (BOM). Import this POM to manage versions + of all Dapr SDK modules and their security-critical transitive dependencies. + https://dapr.io + + + + Apache License Version 2.0 + https://opensource.org/licenses/Apache-2.0 + + + + + + Dapr + daprweb@microsoft.com + Dapr + https://dapr.io + + + + + https://github.com/dapr/java-sdk + scm:git:https://github.com/dapr/java-sdk.git + HEAD + + + + 1.18.0-SNAPSHOT + + 4.1.132.Final + 2.21.2 + + 1.26.0 + + + + + + + + + io.dapr + dapr-sdk-autogen + ${dapr.sdk.version} + + + io.dapr + dapr-sdk + ${dapr.sdk.version} + + + io.dapr + dapr-sdk-actors + ${dapr.sdk.version} + + + io.dapr + dapr-sdk-workflows + ${dapr.sdk.version} + + + io.dapr + dapr-sdk-springboot + ${dapr.sdk.version} + + + io.dapr + testcontainers-dapr + ${dapr.sdk.version} + + + io.dapr + durabletask-client + ${dapr.sdk.version} + + + + + + + io.dapr.spring + dapr-spring-data + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-6-data + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-messaging + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-workflows + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-properties + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-autoconfigure + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-autoconfigure + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-tests + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-starter + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-starter + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-starter-test + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-starter-test + ${dapr.sdk.version} + + + + + + + io.netty + netty-bom + ${netty.version} + pom + import + + + com.fasterxml.jackson + jackson-bom + ${jackson.version} + pom + import + + + org.apache.commons + commons-compress + ${commons-compress.version} + + + commons-codec + commons-codec + 1.17.2 + + + + + From 7128835c421a39891774de510c44f8d55ef5d4fb Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Fri, 10 Apr 2026 12:51:45 +0200 Subject: [PATCH 2/6] docs: add BOM usage instructions to README (#1720) Document dapr-sdk-bom as the recommended way to import the SDK, with version-free dependency declarations for both Maven and Gradle. Keep the manual version approach as an alternative. Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- README.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 63 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 1916cf5d49..ff83b11242 100644 --- a/README.md +++ b/README.md @@ -59,31 +59,43 @@ For the full list of available APIs, see the [Dapr API reference](https://docs.d If using [SDKMAN!](https://sdkman.io), execute `sdk env install` to install the required JDK. ### Importing Dapr's Java SDK + +#### Using the BOM (recommended) + +Import `dapr-sdk-bom` to manage all Dapr SDK versions and security-patched transitive dependencies in one place. This ensures your project inherits fixes for CVEs in transitive dependencies like Netty and Jackson. + For a Maven project, add the following to your `pom.xml` file: ```xml ... + + + + io.dapr + dapr-sdk-bom + 1.18.0 + pom + import + + + + - ... - + io.dapr dapr-sdk - 1.17.2 io.dapr dapr-sdk-actors - 1.17.2 io.dapr dapr-sdk-springboot - 1.17.2 - ... ... @@ -91,15 +103,55 @@ For a Maven project, add the following to your `pom.xml` file: For a Gradle project, add the following to your `build.gradle` file: -``` +```groovy dependencies { -... + // Import the BOM + implementation platform('io.dapr:dapr-sdk-bom:1.18.0') + // Dapr's core SDK with all features, except Actors. - compile('io.dapr:dapr-sdk:1.17.2') + implementation 'io.dapr:dapr-sdk' // Dapr's SDK for Actors (optional). - compile('io.dapr:dapr-sdk-actors:1.17.2') + implementation 'io.dapr:dapr-sdk-actors' // Dapr's SDK integration with SpringBoot (optional). - compile('io.dapr:dapr-sdk-springboot:1.17.2') + implementation 'io.dapr:dapr-sdk-springboot' +} +``` + +#### Without the BOM + +If you prefer to manage versions manually, specify the version on each dependency: + +For Maven: +```xml + + ... + + + io.dapr + dapr-sdk + 1.17.2 + + + io.dapr + dapr-sdk-actors + 1.17.2 + + + io.dapr + dapr-sdk-springboot + 1.17.2 + + + ... + +``` + +For Gradle: +```groovy +dependencies { + implementation 'io.dapr:dapr-sdk:1.17.2' + implementation 'io.dapr:dapr-sdk-actors:1.17.2' + implementation 'io.dapr:dapr-sdk-springboot:1.17.2' } ``` From 3fafe114855c7394c2d9ae0185759812324a584c Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Fri, 10 Apr 2026 13:09:16 +0200 Subject: [PATCH 3/6] fix: update version script to handle standalone BOM (#1720) The BOM has no parent, so mvn versions:set skips it during the reactor walk. Add explicit -f sdk-bom/pom.xml calls to update both the artifact version and dapr.sdk.version property. Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- .github/scripts/update_sdk_version.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/scripts/update_sdk_version.sh b/.github/scripts/update_sdk_version.sh index 0e5726ecca..909973b10c 100755 --- a/.github/scripts/update_sdk_version.sh +++ b/.github/scripts/update_sdk_version.sh @@ -12,6 +12,9 @@ mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -DprocessDependencies=true mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-tests/pom.xml +# BOM is standalone (no parent), so versions:set skips it — update it explicitly. +mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml +mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION -f sdk-tests/pom.xml From 9ab1afa9e5de69f2b07c106207e1d64bbcb823cc Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Fri, 10 Apr 2026 13:25:41 +0200 Subject: [PATCH 4/6] fix: add deploy and signing config to standalone BOM (#1720) The BOM has no parent so it doesn't inherit distributionManagement, nexus-staging-maven-plugin, or maven-gpg-plugin from the root POM. Without these the publish step would fail to stage and sign the artifact for Maven Central. Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- sdk-bom/pom.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml index b801264386..a6230c64af 100644 --- a/sdk-bom/pom.xml +++ b/sdk-bom/pom.xml @@ -35,7 +35,15 @@ HEAD + + + ossrh + https://central.sonatype.com/repository/maven-snapshots/ + + + + true 1.18.0-SNAPSHOT 4.1.132.Final @@ -44,6 +52,43 @@ 1.26.0 + + + + org.sonatype.plugins + nexus-staging-maven-plugin + 1.7.0 + true + + ossrh + https://ossrh-staging-api.central.sonatype.com + true + + + + org.apache.maven.plugins + maven-gpg-plugin + 3.1.0 + + + sign-artifacts + verify + + sign + + + + --batch + --pinentry-mode + loopback + + + + + + + + From c5962938d7b260185389b44938894a779ad6ae41 Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Fri, 10 Apr 2026 13:59:38 +0200 Subject: [PATCH 5/6] fix: skip site generation for standalone BOM (#1720) The BOM has no parent, so it picks up maven-site-plugin 3.3 from Maven's defaults instead of 3.12.1 from pluginManagement. Pin the version and skip site since a POM-only BOM has no content to render. Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- sdk-bom/pom.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml index a6230c64af..03e44a0b5a 100644 --- a/sdk-bom/pom.xml +++ b/sdk-bom/pom.xml @@ -54,6 +54,14 @@ + + org.apache.maven.plugins + maven-site-plugin + 3.12.1 + + true + + org.sonatype.plugins nexus-staging-maven-plugin From b4b10a6a63a0f49a9984547b238c53617bc9c93f Mon Sep 17 00:00:00 2001 From: Javier Aliaga Date: Mon, 13 Apr 2026 11:25:26 +0200 Subject: [PATCH 6/6] refactor: split BOM into core and Spring BOMs (#1720) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per review feedback from @siri-varma, split the single BOM into two: - io.dapr:dapr-sdk-bom — core SDK modules (dapr-sdk, dapr-sdk-actors, dapr-sdk-workflows, dapr-sdk-autogen, durabletask-client, testcontainers-dapr) plus security overrides - io.dapr.spring:dapr-spring-bom — Spring-specific modules (dapr-sdk-springboot, dapr-spring-*). Imports dapr-sdk-bom so Spring users only need this single BOM. This keeps the core BOM lightweight for non-Spring users, while letting Spring users align naturally with their existing dependency management. Also updates the version script and README to cover both BOMs. Signed-off-by: Javier Aliaga Signed-off-by: Javier Aliaga --- .github/scripts/update_sdk_version.sh | 4 +- README.md | 68 ++++++++-- dapr-spring/dapr-spring-bom/pom.xml | 185 ++++++++++++++++++++++++++ dapr-spring/pom.xml | 1 + sdk-bom/pom.xml | 75 +---------- 5 files changed, 249 insertions(+), 84 deletions(-) create mode 100644 dapr-spring/dapr-spring-bom/pom.xml diff --git a/.github/scripts/update_sdk_version.sh b/.github/scripts/update_sdk_version.sh index 909973b10c..b2e1033be9 100755 --- a/.github/scripts/update_sdk_version.sh +++ b/.github/scripts/update_sdk_version.sh @@ -12,9 +12,11 @@ mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -DprocessDependencies=true mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-tests/pom.xml -# BOM is standalone (no parent), so versions:set skips it — update it explicitly. +# BOMs are standalone (no parent), so versions:set skips them — update explicitly. mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml +mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f dapr-spring/dapr-spring-bom/pom.xml +mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f dapr-spring/dapr-spring-bom/pom.xml mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION -f sdk-tests/pom.xml diff --git a/README.md b/README.md index ff83b11242..6ab95b01b7 100644 --- a/README.md +++ b/README.md @@ -60,11 +60,18 @@ If using [SDKMAN!](https://sdkman.io), execute `sdk env install` to install the ### Importing Dapr's Java SDK -#### Using the BOM (recommended) +#### Using a BOM (recommended) -Import `dapr-sdk-bom` to manage all Dapr SDK versions and security-patched transitive dependencies in one place. This ensures your project inherits fixes for CVEs in transitive dependencies like Netty and Jackson. +Two BOMs are published: -For a Maven project, add the following to your `pom.xml` file: +- **`io.dapr:dapr-sdk-bom`** — core SDK modules (`dapr-sdk`, `dapr-sdk-actors`, `dapr-sdk-workflows`, `dapr-sdk-autogen`, `durabletask-client`, `testcontainers-dapr`) plus security-patched transitive dependencies (Netty, Jackson, commons-compress, commons-codec). +- **`io.dapr.spring:dapr-spring-bom`** — Spring-specific modules (`dapr-sdk-springboot`, `dapr-spring-*`). Imports `dapr-sdk-bom` transitively, so Spring users only need this single BOM. + +Pick the one that matches your project. Importing a BOM ensures you inherit security fixes for transitive dependencies like the Netty CVEs. + +##### Core (non-Spring) projects + +For Maven: ```xml ... @@ -91,29 +98,66 @@ For a Maven project, add the following to your `pom.xml` file: io.dapr dapr-sdk-actors - - - io.dapr - dapr-sdk-springboot - ... ``` -For a Gradle project, add the following to your `build.gradle` file: - +For Gradle: ```groovy dependencies { - // Import the BOM implementation platform('io.dapr:dapr-sdk-bom:1.18.0') // Dapr's core SDK with all features, except Actors. implementation 'io.dapr:dapr-sdk' // Dapr's SDK for Actors (optional). implementation 'io.dapr:dapr-sdk-actors' - // Dapr's SDK integration with SpringBoot (optional). +} +``` + +##### Spring Boot projects + +For Maven: +```xml + + ... + + + + io.dapr.spring + dapr-spring-bom + 1.18.0 + pom + import + + + + + + + + io.dapr + dapr-sdk-springboot + + + + io.dapr.spring + dapr-spring-boot-starter + + + ... + +``` + +For Gradle: +```groovy +dependencies { + implementation platform('io.dapr.spring:dapr-spring-bom:1.18.0') + + // Dapr's SDK integration with Spring Boot. implementation 'io.dapr:dapr-sdk-springboot' + // Optional Spring Boot starter. + implementation 'io.dapr.spring:dapr-spring-boot-starter' } ``` diff --git a/dapr-spring/dapr-spring-bom/pom.xml b/dapr-spring/dapr-spring-bom/pom.xml new file mode 100644 index 0000000000..d15820a210 --- /dev/null +++ b/dapr-spring/dapr-spring-bom/pom.xml @@ -0,0 +1,185 @@ + + 4.0.0 + + io.dapr.spring + dapr-spring-bom + 1.18.0-SNAPSHOT + pom + dapr-spring-bom + Dapr Spring Bill of Materials (BOM). Import this POM to manage versions + of dapr-sdk-springboot and all dapr-spring-* modules. Imports dapr-sdk-bom + transitively, so Spring users only need this single BOM. + https://dapr.io + + + + Apache License Version 2.0 + https://opensource.org/licenses/Apache-2.0 + + + + + + Dapr + daprweb@microsoft.com + Dapr + https://dapr.io + + + + + https://github.com/dapr/java-sdk + scm:git:https://github.com/dapr/java-sdk.git + HEAD + + + + + ossrh + https://central.sonatype.com/repository/maven-snapshots/ + + + + + true + 1.18.0-SNAPSHOT + + + + + + org.apache.maven.plugins + maven-site-plugin + 3.12.1 + + true + + + + org.sonatype.plugins + nexus-staging-maven-plugin + 1.7.0 + true + + ossrh + https://ossrh-staging-api.central.sonatype.com + true + + + + org.apache.maven.plugins + maven-gpg-plugin + 3.1.0 + + + sign-artifacts + verify + + sign + + + + --batch + --pinentry-mode + loopback + + + + + + + + + + + + + + + + io.dapr + dapr-sdk-bom + ${dapr.sdk.version} + pom + import + + + + + + + io.dapr + dapr-sdk-springboot + ${dapr.sdk.version} + + + + + + + io.dapr.spring + dapr-spring-data + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-6-data + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-messaging + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-workflows + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-properties + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-autoconfigure + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-autoconfigure + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-tests + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-starter + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-starter + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-starter-test + ${dapr.sdk.version} + + + io.dapr.spring + dapr-spring-boot-4-starter-test + ${dapr.sdk.version} + + + + + diff --git a/dapr-spring/pom.xml b/dapr-spring/pom.xml index 842b4355b4..d411ceb51f 100644 --- a/dapr-spring/pom.xml +++ b/dapr-spring/pom.xml @@ -18,6 +18,7 @@ SDK extension for Spring and Spring Boot + dapr-spring-bom dapr-spring-data dapr-spring-6-data dapr-spring-messaging diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml index 03e44a0b5a..8cd40c6574 100644 --- a/sdk-bom/pom.xml +++ b/sdk-bom/pom.xml @@ -9,8 +9,10 @@ 1.18.0-SNAPSHOT pom dapr-sdk-bom - Dapr SDK Bill of Materials (BOM). Import this POM to manage versions - of all Dapr SDK modules and their security-critical transitive dependencies. + Dapr SDK Bill of Materials (BOM) for the core SDK modules. Import this POM + to manage versions of dapr-sdk, dapr-sdk-actors, dapr-sdk-workflows, and their + security-critical transitive dependencies. Spring users should also import + dapr-spring-bom for the Spring-specific modules. https://dapr.io @@ -122,11 +124,6 @@ dapr-sdk-workflows ${dapr.sdk.version} - - io.dapr - dapr-sdk-springboot - ${dapr.sdk.version} - io.dapr testcontainers-dapr @@ -138,70 +135,6 @@ ${dapr.sdk.version} - - - - - io.dapr.spring - dapr-spring-data - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-6-data - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-messaging - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-workflows - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-properties - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-autoconfigure - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-4-autoconfigure - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-tests - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-starter - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-4-starter - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-starter-test - ${dapr.sdk.version} - - - io.dapr.spring - dapr-spring-boot-4-starter-test - ${dapr.sdk.version} - -