SpringBoot spring-boot-starter-test:jar:4.0.0-M3 puts an ancient version of org.json:json on the classpath

After updating my Spring Boot Starter from v3.3.9 to v4.0.0-M3 some tests started failing because of an incompatibility between a JSON assertion library I'm using and the org.json:json lib it depends on. Here's the relevant output from the Maven dependency report

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:4.0.0-M3:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:4.0.0-M3:test
[INFO] |  +- org.springframework.boot:spring-boot-restclient-test:jar:4.0.0-M3:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:4.0.0-M3:test
[INFO] |  +- org.springframework.boot:spring-boot-web-server-test:jar:4.0.0-M3:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.9.0:test
[INFO] |  |  \- org.slf4j:slf4j-api:jar:2.0.17:compile
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:2.1.4:test
[INFO] |  +- net.minidev:json-smart:jar:2.6.0:test
[INFO] |  |  \- net.minidev:accessors-smart:jar:2.6.0:test
[INFO] |  |     \- org.ow2.asm:asm:jar:9.7.1:test
[INFO] |  +- org.assertj:assertj-core:jar:3.27.4:test
[INFO] |  |  \- net.bytebuddy:byte-buddy:jar:1.17.7:test
[INFO] |  +- org.awaitility:awaitility:jar:4.3.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:3.0:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.13.4:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.13.4:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.3.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.13.4:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.13.4:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.13.4:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.13.4:test
[INFO] |  +- org.mockito:mockito-core:jar:5.19.0:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.17.7:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.3:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:5.19.0:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.3:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test

The last line indicates a transitive dependency on a 12-year old shim/fork of org.json:json. I fixed the problem in my project by excluding this version and including org.json:json:20250517 instead.

Comment From: bclozel

We are aware of this situation. This isn't due to Spring Boot but rather something to be dealt with in the jsonassert library. At the time, the org.json:json was using an exotic software license; it since moved to a "Public Domain" license, that you seem to be happy to use in your application but isn't clearly defined.

In the meantime jsonassert made some progress but the official release isn't scheduled right now.

There are many related issues, see #40949, #41201 and #9248

In short, I don't think we can make progress here.