I am using Apache Maven 3.6.3 & Spring boot 1.5 without micro service Architecture. I am working on a task to remediate vulnerable dependencies currently present in the dependency tree of our project. logback-classic is one of those dependencies. I can change the version of top-level dependencies (in top level pom) but I am not able to upgrade its version from 1.11.1 to 1.2.3 for logback-dependency present in spring-boot-starter-web starter used in one of child POM.
I am able to exclude such versions as-
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.2.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
However, I am not able to update the version of same dependency present in dependency tree of spring-boot-starter-web starter of one of JAR in project. I tried to provide update of version using < dependencyManagement > tag as-
<project>
......
<dependencyManagement>
<dependencies>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.2.0.RELEASE</version>
<exclusions>
<exclusion>
<groupId>ch.quos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
........
</dependencies>
......
<project>
Note- In < dependencyManagement >, initially I tried without < type > & < scope > tags as well but anyhow I am only able to exclude vulnerable logback-classic dependency but I can't update this to 1.2.3 inside spring-boot-starter-web present in that particular child pom.
