bootstrap bits use old version of jsoup when outside quarkus build, platform bom manages old version

[gemmellr]

Describe the bug

#19590 updated the jsoup version in the build-parent after dependabot (and now various other scans) flagged it. The version property sits in a group commented "Align various dependencies that are not really part of the bom".

The bootstrap bits do have a transitive dependency on jsoup however, via the maven resolver and its use of wagon-http. So the build-parent manages the version to the new one during the quarkus build and testing, but then users of quarkus will likely use a different version since it isnt managed.

Also, unlike the core, the platform bom does actually manage the jsoup version, but still to the older one, so anything using that may then actually also actually be getting managed to use the old version specifically.

From https://issues.apache.org/jira/browse/WAGON-612 it doesnt seem like its considered an issue or priority for wagon-http itself, but that isnt to say having that version there wont present folks issues for other areas.

Either way certainly it would be nice if the platform bom wasnt managing the version to the old one which causes warnings, and if the quarkus build was testing things with a version users will likely actually get.

Should/could the bootstrap bom be managing this?

Expected behavior

Same, newer, version of dependency used during quarkus build and by eventual users.

Actual behavior

Most likely different versions used unwittingly, managed or unmanaged, causing warnings during dependency scans.

[gemmellr]

Tree from bootstrap-core to jsoup

[INFO] |  +- io.quarkus:quarkus-bootstrap-core:jar:2.5.0.CR1:compile
[INFO] |  |  +- io.quarkus:quarkus-bootstrap-app-model:jar:2.5.0.CR1:compile
[INFO] |  |  |  \- org.jboss.logging:commons-logging-jboss-logging:jar:1.0.0.Final:runtime
[INFO] |  |  +- io.quarkus:quarkus-bootstrap-maven-resolver:jar:2.5.0.CR1:compile
[INFO] |  |  |  +- org.apache.maven:maven-embedder:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-settings:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-core:jar:3.8.1:compile
[INFO] |  |  |  |  |  +- org.apache.maven:maven-artifact:jar:3.8.1:compile
[INFO] |  |  |  |  |  \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-plugin-api:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-model:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-model-builder:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-builder-support:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven.resolver:maven-resolver-api:jar:1.6.2:compile
[INFO] |  |  |  |  +- org.apache.maven.resolver:maven-resolver-util:jar:1.6.2:compile
[INFO] |  |  |  |  +- org.apache.maven.shared:maven-shared-utils:jar:3.3.3:compile
[INFO] |  |  |  |  |  \- commons-io:commons-io:jar:2.11.0:compile
[INFO] |  |  |  |  +- com.google.inject:guice:jar:no_aop:4.2.1:compile
[INFO] |  |  |  |  |  \- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] |  |  |  |  |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  |  |  |     \- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  |  |  +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
[INFO] |  |  |  |  +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] |  |  |  |  \- commons-cli:commons-cli:jar:1.4:compile
[INFO] |  |  |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile
[INFO] |  |  |  +- org.apache.maven:maven-settings-builder:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
[INFO] |  |  |  |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
[INFO] |  |  |  |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] |  |  |  +- org.apache.maven:maven-resolver-provider:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven:maven-repository-metadata:jar:3.8.1:compile
[INFO] |  |  |  |  +- org.apache.maven.resolver:maven-resolver-spi:jar:1.6.2:compile
[INFO] |  |  |  |  \- org.apache.maven.resolver:maven-resolver-impl:jar:1.6.2:compile
[INFO] |  |  |  +- org.apache.maven.resolver:maven-resolver-connector-basic:jar:1.6.2:compile
[INFO] |  |  |  +- org.apache.maven.resolver:maven-resolver-transport-wagon:jar:1.6.2:compile
[INFO] |  |  |  +- org.apache.maven.wagon:wagon-http:jar:3.4.3:compile
[INFO] |  |  |  |  +- org.apache.maven.wagon:wagon-http-shared:jar:3.4.3:compile
[INFO] |  |  |  |  |  \- org.jsoup:jsoup:jar:1.12.1:compile

[gemmellr]

^ @aloubyansky

[gemmellr]

Thanks @aloubyansky, change looks good.