feat: publish dapr-sdk-bom artifact for transitive dependency management (dapr#1722)

javier-aliaga · javier-aliaga · commit 7b02aa2eeeca · 2026-04-14T12:00:11.000+02:00
* feat: add dapr-sdk-bom module for dependency version management (dapr#1720) Standalone BOM (no parent inheritance) so consumers only get Dapr SDK artifact versions and security-critical transitive dependency overrides without inheriting the parent's 1500+ internal managed dependencies. Includes all published io.dapr and io.dapr.spring modules, plus security overrides for netty-bom (CVE-2026-33870/33871), jackson-bom, commons-compress, and commons-codec. Closes dapr#1720 Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> * docs: add BOM usage instructions to README (dapr#1720) Document dapr-sdk-bom as the recommended way to import the SDK, with version-free dependency declarations for both Maven and Gradle. Keep the manual version approach as an alternative. Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> * fix: update version script to handle standalone BOM (dapr#1720) The BOM has no parent, so mvn versions:set skips it during the reactor walk. Add explicit -f sdk-bom/pom.xml calls to update both the artifact version and dapr.sdk.version property. Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> * fix: add deploy and signing config to standalone BOM (dapr#1720) The BOM has no parent so it doesn't inherit distributionManagement, nexus-staging-maven-plugin, or maven-gpg-plugin from the root POM. Without these the publish step would fail to stage and sign the artifact for Maven Central. Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> * fix: skip site generation for standalone BOM (dapr#1720) The BOM has no parent, so it picks up maven-site-plugin 3.3 from Maven's defaults instead of 3.12.1 from pluginManagement. Pin the version and skip site since a POM-only BOM has no content to render. Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> * refactor: split BOM into core and Spring BOMs (dapr#1720) Per review feedback from @siri-varma, split the single BOM into two: - io.dapr:dapr-sdk-bom — core SDK modules (dapr-sdk, dapr-sdk-actors, dapr-sdk-workflows, dapr-sdk-autogen, durabletask-client, testcontainers-dapr) plus security overrides - io.dapr.spring:dapr-spring-bom — Spring-specific modules (dapr-sdk-springboot, dapr-spring-*). Imports dapr-sdk-bom so Spring users only need this single BOM. This keeps the core BOM lightweight for non-Spring users, while letting Spring users align naturally with their existing dependency management. Also updates the version script and README to cover both BOMs. Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io> --------- Signed-off-by: Javier Aliaga <javier@aliaga.dev> Signed-off-by: Javier Aliaga <javier@diagrid.io>
diff --git a/.github/scripts/update_sdk_version.sh b/.github/scripts/update_sdk_version.sh
@@ -12,6 +12,11 @@ mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -DprocessDependencies=true
 mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION
 mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION
 mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-tests/pom.xml
+# BOMs are standalone (no parent), so versions:set skips them — update explicitly.
+mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml
+mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml
+mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f dapr-spring/dapr-spring-bom/pom.xml
+mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f dapr-spring/dapr-spring-bom/pom.xml
 mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION -f sdk-tests/pom.xml
 
 
diff --git a/README.md b/README.md
@@ -59,47 +59,143 @@ For the full list of available APIs, see the [Dapr API reference](https://docs.d
 If using [SDKMAN!](https://sdkman.io), execute `sdk env install` to install the required JDK.
 
 ### Importing Dapr's Java SDK
-For a Maven project, add the following to your `pom.xml` file:
+
+#### Using a BOM (recommended)
+
+Two BOMs are published:
+
+- **`io.dapr:dapr-sdk-bom`** — core SDK modules (`dapr-sdk`, `dapr-sdk-actors`, `dapr-sdk-workflows`, `dapr-sdk-autogen`, `durabletask-client`, `testcontainers-dapr`) plus security-patched transitive dependencies (Netty, Jackson, commons-compress, commons-codec).
+- **`io.dapr.spring:dapr-spring-bom`** — Spring-specific modules (`dapr-sdk-springboot`, `dapr-spring-*`). Imports `dapr-sdk-bom` transitively, so Spring users only need this single BOM.
+
+Pick the one that matches your project. Importing a BOM ensures you inherit security fixes for transitive dependencies like the Netty CVEs.
+
+##### Core (non-Spring) projects
+
+For Maven:
 ```xml
 <project>
   ...
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.dapr</groupId>
+        <artifactId>dapr-sdk-bom</artifactId>
+        <version>1.18.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
-    ...
-     <!-- Dapr's core SDK with all features, except Actors. -->
+    <!-- Dapr's core SDK with all features, except Actors. -->
     <dependency>
       <groupId>io.dapr</groupId>
       <artifactId>dapr-sdk</artifactId>
-      <version>1.17.2</version>
     </dependency>
     <!-- Dapr's SDK for Actors (optional). -->
     <dependency>
       <groupId>io.dapr</groupId>
       <artifactId>dapr-sdk-actors</artifactId>
-      <version>1.17.2</version>
     </dependency>
-    <!-- Dapr's SDK integration with SpringBoot (optional). -->
+  </dependencies>
+  ...
+</project>
+```
+
+For Gradle:
+```groovy
+dependencies {
+    implementation platform('io.dapr:dapr-sdk-bom:1.18.0')
+
+    // Dapr's core SDK with all features, except Actors.
+    implementation 'io.dapr:dapr-sdk'
+    // Dapr's SDK for Actors (optional).
+    implementation 'io.dapr:dapr-sdk-actors'
+}
+```
+
+##### Spring Boot projects
+
+For Maven:
+```xml
+<project>
+  ...
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-bom</artifactId>
+        <version>1.18.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <!-- Dapr's SDK integration with Spring Boot. -->
     <dependency>
       <groupId>io.dapr</groupId>
       <artifactId>dapr-sdk-springboot</artifactId>
-      <version>1.17.2</version>
     </dependency>
-    ...
+    <!-- Optional Spring Boot starter. -->
+    <dependency>
+      <groupId>io.dapr.spring</groupId>
+      <artifactId>dapr-spring-boot-starter</artifactId>
+    </dependency>
   </dependencies>
   ...
 </project>
 ```
 
-For a Gradle project, add the following to your `build.gradle` file:
+For Gradle:
+```groovy
+dependencies {
+    implementation platform('io.dapr.spring:dapr-spring-bom:1.18.0')
 
+    // Dapr's SDK integration with Spring Boot.
+    implementation 'io.dapr:dapr-sdk-springboot'
+    // Optional Spring Boot starter.
+    implementation 'io.dapr.spring:dapr-spring-boot-starter'
+}
 ```
+
+#### Without the BOM
+
+If you prefer to manage versions manually, specify the version on each dependency:
+
+For Maven:
+```xml
+<project>
+  ...
+  <dependencies>
+    <dependency>
+      <groupId>io.dapr</groupId>
+      <artifactId>dapr-sdk</artifactId>
+      <version>1.17.2</version>
+    </dependency>
+    <dependency>
+      <groupId>io.dapr</groupId>
+      <artifactId>dapr-sdk-actors</artifactId>
+      <version>1.17.2</version>
+    </dependency>
+    <dependency>
+      <groupId>io.dapr</groupId>
+      <artifactId>dapr-sdk-springboot</artifactId>
+      <version>1.17.2</version>
+    </dependency>
+  </dependencies>
+  ...
+</project>
+```
+
+For Gradle:
+```groovy
 dependencies {
-...
-    // Dapr's core SDK with all features, except Actors.
-    compile('io.dapr:dapr-sdk:1.17.2')
-    // Dapr's SDK for Actors (optional).
-    compile('io.dapr:dapr-sdk-actors:1.17.2')
-    // Dapr's SDK integration with SpringBoot (optional).
-    compile('io.dapr:dapr-sdk-springboot:1.17.2')
+    implementation 'io.dapr:dapr-sdk:1.17.2'
+    implementation 'io.dapr:dapr-sdk-actors:1.17.2'
+    implementation 'io.dapr:dapr-sdk-springboot:1.17.2'
 }
 ```
 
diff --git a/dapr-spring/dapr-spring-bom/pom.xml b/dapr-spring/dapr-spring-bom/pom.xml
@@ -0,0 +1,185 @@
+<project
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="http://maven.apache.org/POM/4.0.0"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>io.dapr.spring</groupId>
+  <artifactId>dapr-spring-bom</artifactId>
+  <version>1.18.0-SNAPSHOT</version>
+  <packaging>pom</packaging>
+  <name>dapr-spring-bom</name>
+  <description>Dapr Spring Bill of Materials (BOM). Import this POM to manage versions
+    of dapr-sdk-springboot and all dapr-spring-* modules. Imports dapr-sdk-bom
+    transitively, so Spring users only need this single BOM.</description>
+  <url>https://dapr.io</url>
+
+  <licenses>
+    <license>
+      <name>Apache License Version 2.0</name>
+      <url>https://opensource.org/licenses/Apache-2.0</url>
+    </license>
+  </licenses>
+
+  <developers>
+    <developer>
+      <name>Dapr</name>
+      <email>daprweb@microsoft.com</email>
+      <organization>Dapr</organization>
+      <organizationUrl>https://dapr.io</organizationUrl>
+    </developer>
+  </developers>
+
+  <scm>
+    <url>https://github.com/dapr/java-sdk</url>
+    <connection>scm:git:https://github.com/dapr/java-sdk.git</connection>
+    <tag>HEAD</tag>
+  </scm>
+
+  <distributionManagement>
+    <snapshotRepository>
+      <id>ossrh</id>
+      <url>https://central.sonatype.com/repository/maven-snapshots/</url>
+    </snapshotRepository>
+  </distributionManagement>
+
+  <properties>
+    <gpg.skip>true</gpg.skip>
+    <dapr.sdk.version>1.18.0-SNAPSHOT</dapr.sdk.version>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-site-plugin</artifactId>
+        <version>3.12.1</version>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.sonatype.plugins</groupId>
+        <artifactId>nexus-staging-maven-plugin</artifactId>
+        <version>1.7.0</version>
+        <extensions>true</extensions>
+        <configuration>
+          <serverId>ossrh</serverId>
+          <nexusUrl>https://ossrh-staging-api.central.sonatype.com</nexusUrl>
+          <autoReleaseAfterClose>true</autoReleaseAfterClose>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <version>3.1.0</version>
+        <executions>
+          <execution>
+            <id>sign-artifacts</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+            <configuration>
+              <gpgArguments>
+                <arg>--batch</arg>
+                <arg>--pinentry-mode</arg>
+                <arg>loopback</arg>
+              </gpgArguments>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencyManagement>
+    <dependencies>
+      <!-- ====================================================================== -->
+      <!-- Import the core Dapr SDK BOM so Spring users get all SDK modules       -->
+      <!-- and security overrides via this single BOM.                            -->
+      <!-- ====================================================================== -->
+      <dependency>
+        <groupId>io.dapr</groupId>
+        <artifactId>dapr-sdk-bom</artifactId>
+        <version>${dapr.sdk.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+
+      <!-- ====================================================================== -->
+      <!-- Spring integration module (groupId io.dapr)                            -->
+      <!-- ====================================================================== -->
+      <dependency>
+        <groupId>io.dapr</groupId>
+        <artifactId>dapr-sdk-springboot</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+
+      <!-- ====================================================================== -->
+      <!-- Dapr Spring modules (groupId io.dapr.spring)                           -->
+      <!-- ====================================================================== -->
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-data</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-6-data</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-messaging</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-workflows</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-properties</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-autoconfigure</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-4-autoconfigure</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-tests</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-starter</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-4-starter</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-starter-test</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.dapr.spring</groupId>
+        <artifactId>dapr-spring-boot-4-starter-test</artifactId>
+        <version>${dapr.sdk.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+</project>
diff --git a/dapr-spring/pom.xml b/dapr-spring/pom.xml
@@ -18,6 +18,7 @@
   <description>SDK extension for Spring and Spring Boot</description>
 
   <modules>
+    <module>dapr-spring-bom</module>
     <module>dapr-spring-data</module>
     <module>dapr-spring-6-data</module>
     <module>dapr-spring-messaging</module>
diff --git a/pom.xml b/pom.xml
@@ -727,6 +727,7 @@
   </scm>
 
   <modules>
+    <module>sdk-bom</module>
     <module>sdk-autogen</module>
     <module>sdk</module>
     <module>sdk-actors</module>
diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml
