Grails 6.1.0 based application references snakeyaml 1.30

[stefanbozic]

Expected Behavior

The release notes states
"Remove explicit 1.33 from SnakeYaml to auto resolve to Snake YAML 2"

Actual Behaviour

The latestSnakeyaml version 2.2 is NOT found in the dependency report of an Grails 6.1.0 application.

Instead ther are multiple entries like the following in the dependencies report

org.yaml:snakeyaml:2.0 -> 1.30

The old snakeyaml version is shipped with spring-boot-starter

+--- org.springframework.boot:spring-boot-starter -> 2.7.16
|    +--- org.springframework.boot:spring-boot:2.7.16 (*)
|    +--- org.springframework.boot:spring-boot-autoconfigure:2.7.16 (*)
|    +--- org.springframework.boot:spring-boot-starter-logging:2.7.16
|    |    +--- ch.qos.logback:logback-classic:1.2.12
|    |    |    +--- ch.qos.logback:logback-core:1.2.12
|    |    |    \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
|    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.17.2
|    |    |    +--- org.slf4j:slf4j-api:1.7.35 -> 1.7.36
|    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.2
|    |    \--- org.slf4j:jul-to-slf4j:1.7.36
|    |         \--- org.slf4j:slf4j-api:1.7.36
|    +--- jakarta.annotation:jakarta.annotation-api:1.3.5 -> 2.0.0
|    +--- org.springframework:spring-core:5.3.30 (*)
|    \--- org.yaml:snakeyaml:1.30

Steps To Reproduce

1. Create an empty project via "grails create-app test6_1_0"
2. In this new project call "./gradlew dependencies"
3. You will find several occurences of "org.yaml:snakeyaml:2.0 -> 1.30"

Environment Information

$ ./gradlew -v

------------------------------------------------------------
Gradle 7.6.3
------------------------------------------------------------

Build time:   2023-10-04 15:59:47 UTC
Revision:     1694251d59e0d4752d547e1fd5b5020b798a7e71

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          11.0.20 (Azul Systems, Inc. 11.0.20+8-LTS)
OS:           Windows 10 10.0 amd64

Example Application

No response

Version

6.1.0

[stefanbozic]

Snakeyaml version can be set globally in gradle.properties like this:

snakeyaml.version=2.2

which will overwrite the version for spring-boot-starter

+--- org.springframework.boot:spring-boot-starter -> 2.7.16
|    +--- org.springframework.boot:spring-boot:2.7.16 (*)
|    +--- org.springframework.boot:spring-boot-autoconfigure:2.7.16 (*)
|    +--- org.springframework.boot:spring-boot-starter-logging:2.7.16
|    |    +--- ch.qos.logback:logback-classic:1.2.12
|    |    |    +--- ch.qos.logback:logback-core:1.2.12
|    |    |    \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
|    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.17.2
|    |    |    +--- org.slf4j:slf4j-api:1.7.35 -> 1.7.36
|    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.2
|    |    \--- org.slf4j:jul-to-slf4j:1.7.36
|    |         \--- org.slf4j:slf4j-api:1.7.36
|    +--- jakarta.annotation:jakarta.annotation-api:1.3.5 -> 2.0.0
|    +--- org.springframework:spring-core:5.3.30 (*)
|    \--- org.yaml:snakeyaml:1.30 -> 2.2

and also for the micronaut-core etc

     |    |    +--- io.micronaut:micronaut-core:3.10.2
     |    |    |    \--- org.slf4j:slf4j-api:1.7.36
     |    |    \--- org.yaml:snakeyaml:2.0 -> 2.2