APiGen BOM (Bill of Materials)

Centralized dependency version management for APiGen modules with security patches and compatibility guarantees.

Overview

The Problem: Dependency Hell

Before APiGen BOM:

groovy

// Project A: apigen-core
dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web:3.2.0'
    implementation 'com.google.guava:guava:32.0.0-jre'  // ⚠️ CVE-2023-2976
}

// Project B: apigen-security  
dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web:4.0.2'  // ❌ Version conflict!
    implementation 'com.google.guava:guava:33.0.0-jre'   // ❌ Different version!
}

// Your Application
dependencies {
    implementation 'com.jnzader:apigen-core:1.0.0'
    implementation 'com.jnzader:apigen-security:1.0.0'
}

Result:
// Gradle uses highest version → Spring Boot 4.0.2
// But apigen-core was built with 3.2.0 → Runtime errors!
// NoSuchMethodError, ClassNotFoundException

After APiGen BOM:

groovy

dependencies {
    // ✅ Single source of truth for all versions
    implementation platform('com.jnzader:apigen-bom:1.0.0-SNAPSHOT')
    
    // ✅ No version conflicts - all APiGen modules use same versions
    implementation 'com.jnzader:apigen-core'
    implementation 'com.jnzader:apigen-security'
    implementation 'com.jnzader:apigen-search'
    
    // ✅ Third-party dependencies also managed
    implementation 'org.mapstruct:mapstruct'  // BOM provides version
    implementation 'com.google.guava:guava'   // BOM provides patched version
}

Result:
// ✅ Spring Boot 4.0.2 everywhere
// ✅ Guava 33.5.0-jre with CVE patches
// ✅ 100% compatibility guaranteed
// ✅ Zero version conflicts

Time Saved:

Manual dependency management: 2-4 hours per project (conflicts, CVE research)
APiGen BOM: 5 minutes (add platform import)
Result: 95% time reduction

Purpose

The BOM ensures all APiGen modules and their dependencies use compatible versions, preventing version conflicts in your project. It also includes security patches for transitive dependencies with known CVEs.

Usage

Gradle:

groovy

dependencies {
    implementation platform('com.jnzader:apigen-bom:1.0.0-SNAPSHOT')
    implementation 'com.jnzader:apigen-core'
    implementation 'com.jnzader:apigen-security'  // Optional
    implementation 'com.jnzader:apigen-search'    // Optional
}

Maven:

xml

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.jnzader</groupId>
            <artifactId>apigen-bom</artifactId>
            <version>1.0.0-SNAPSHOT</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

Managed Dependencies

Core Framework

Dependency	Version	Notes
Spring Boot	4.0.2	Latest Spring Boot 4.x
Spring Cloud	2025.1.1	2025 release train
MapStruct	1.6.3	DTO mapping
Caffeine	3.2.3	High-performance caching
Resilience4j	2.3.0	Circuit breaker, retry, rate limiter
SpringDoc OpenAPI	3.0.1	OpenAPI 3.1 documentation

Security

Dependency	Version	Notes
JJWT	0.13.0	JWT authentication

Search Engines

Dependency	Version	Notes
Elasticsearch	8.17.0	Full-text search
Algolia	4.10.1	Hosted search
Meilisearch	0.14.2	Open-source search
Typesense	1.2.0	Typo-tolerant search

Graph Databases

Dependency	Version	Notes
Neo4j Driver	5.28.10	Cypher queries
Gremlin (TinkerPop)	3.7.1	Graph traversal
ArangoDB	7.12.0	Multi-model database

Observability

Dependency	Version	Notes
Micrometer Tracing	1.6.2	Distributed tracing
OpenTelemetry	1.58.0	OTLP exporter
Logstash Encoder	9.0	Structured logging

Feature Flags

Dependency	Version	Notes
Togglz	4.4.0	Feature flag management

Testing

Dependency	Version	Notes
Testcontainers	1.20.3	Integration testing
ArchUnit	1.4.1	Architecture testing
Awaitility	4.3.0	Async testing

Performance & Query Analysis

Dependency	Version	Notes
Hypersistence Utils	3.14.1	N+1 query detection

Security Patches

The BOM includes security fixes for transitive dependencies with known CVEs:

Dependency	Version	CVEs Fixed
Guava	33.5.0-jre	CVE-2020-8908, CVE-2023-2976 (insecure temp directory)
Logback	1.5.25	CVE-2026-1225
Netty Codec HTTP	4.2.8.Final	CVE-2025-67735
Rhino	1.7.15.1	CVE-2025-66453

These overrides ensure secure transitive dependencies even when third-party libraries use vulnerable versions.

APiGen Modules

All APiGen modules are version-constrained by the BOM:

Module	Description
`apigen-core`	CRUD base classes, auditing, caching
`apigen-exceptions`	RFC 7807 error handling
`apigen-security`	JWT, OAuth2, SAML, 2FA
`apigen-codegen`	Code generation engine
`apigen-docs`	Interactive documentation
`apigen-graph`	Graph database support
`apigen-search`	Full-text search integration

Compatibility Matrix

Java Version	Spring Boot	APiGen BOM
25+	4.0.2+	1.0.0+
21+	3.2.0+	0.9.0+
17+	3.0.0+	0.8.0+

APiGen BOM (Bill of Materials) ​

Overview ​

The Problem: Dependency Hell ​

Purpose ​

Usage ​

Managed Dependencies ​

Core Framework ​

Security ​

Search Engines ​

Graph Databases ​

Observability ​

Feature Flags ​

Testing ​

Performance & Query Analysis ​

Security Patches ​

APiGen Modules ​

Compatibility Matrix ​

APiGen BOM (Bill of Materials)

Overview

The Problem: Dependency Hell

Purpose

Usage

Managed Dependencies

Core Framework

Security

Search Engines

Graph Databases

Observability

Feature Flags

Testing

Performance & Query Analysis

Security Patches

APiGen Modules

Compatibility Matrix