spring-boot-starter-oauth2-client has an unnecessary dependency on com.sun.mail:jakarta.mail

[martin-v]

oauth2-client don't depend on any mail dependency, so it's just confusing and causing problems with javax.mail.* to jakarta.mail.* package name change.

Was introduced with d6a869f, probably there are more similar cases.

[wilkinsona]

Thanks for the PR.

At the time of d6a869f, com.sun.mail:javax.mail was a dependency of the managed version of oauth2-oidc-sdk. This meant that the made in that commit were necessary to replace the javax.mail dependency with its jakarta.mail equivalent. It looks like this stopped being the case in Spring Boot 2.4 when we upgraded to 8.23 of the OIDC SDK which no longer has the mail dependency but we missed it.

probably there are more similar cases.

Can you expand a bit on this, please? If there are other cases, it'd be good to address them as well but I don't understand why you think they're likely.

[martin-v]

Thanks for the fast response.

Can you expand a bit on this, please? If there are other cases, it'd be good to address them as well but I don't understand why you think they're likely.

I just took a quick look at the commit d6a869f and saw that there are more exclude/add cases similar to one I reverted in the PR. So I guessed that it is possible that here are more cases where the exclude/add is no longer necessary. E.g. the upstream project uses the jakarta version by itself now. (would be just a code smell, because the dependency is still necessary) or as in this PR case the dependency is obsolete now. But I didn't check any other cases.

[wilkinsona]

Thanks, @martin-v. I think we could add a custom Gradle task to detect unnecessary exclusions. That may then help us to spot places where we've done an unnecessary addition too. I've opened #28332.

[wilkinsona]

@martin-v Thanks very much for making your first contribution to Spring Boot.

[martin-v]

Thanks, it was a pleasure :)