spring-boot-starter-rsocket pom contains security dependencies

[rwinch]

It appears that as of spring-boot-starter-rsocket-2.3.0.M1.pom it contains Spring Security dependencies that are being pulled in transitively. The dependencies are in 2.3.0.M2 and the latest 2.3.0.BUILD-SNAPSHOT:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-config</artifactId>
  <scope>compile</scope>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
  <scope>compile</scope>
</dependency>

This means that simply adding the spring-boot-starter-rsocket triggers the Spring Boot auto configuration for Security.

This was originally brought to my attention because @joshlong was having difficulties doing a demo and asked for my help. I haven't investigated the scope of the problem, so it would probably be good to check if other dependencies are impacted.

[mbhave]

Those dependencies are explicitly included in the build.gradle. They aren't in 2.2.x so I'm not sure if there was a reason for adding them in master or an oversight. Flagging for team attention to see if anyone remembers.

[bclozel]

That's odd. I don't remember any decision around that. Probably a copy/paste issue during the Gradle migration?

[mbhave]

Seems like that to me. Since you don't remember anything related to this either, I'll mark it as a bug.

[rwinch]

Thanks for the quick turnaround on this!

[wilkinsona]

🤦‍♂ Thanks for spotting and reporting this, @rwinch. Not quite sure how I managed that during the migration.

[rwinch]

No problem. A migration of that size is going to have a few 🤦‍♂️ moments. Thanks again @mbhave for the fast turnaround 😄