Validation Implementation in a Common Library with Conflicting Versions of hibernate-validator

I have created a common library which is being used as a dependency in several Spring Boot applications. I added some validation to POJOs in the common library using hibernate-validator:7.0.2-Final, and the common library tests work fine.

However, when the common library code runs in the dependency Spring Boot app, I get this error: java.lang.NoClassDefFoundError: jakarta/validation/Validation.

I looked into the root cause and the Spring Boot apps also have a dependency on spring-boot-starter-validation which is pulling in hibernate-validator:6.2.0.Final.

+--- org.springframework.boot:spring-boot-starter-validation -> 2.5.9
|    +--- org.springframework.boot:spring-boot-starter:2.5.9 (*)
|    +--- org.apache.tomcat.embed:tomcat-embed-el:9.0.56
|    \--- org.hibernate.validator:hibernate-validator:6.2.0.Final
|         +--- jakarta.validation:jakarta.validation-api:2.0.2
|         +--- org.jboss.logging:jboss-logging:3.4.1.Final -> 3.4.3.Final
|         \--- com.fasterxml:classmate:1.5.1

This is causing the common library’s hibernate-validator version to be managed to 6.2.0-Final.

+--- com.whatever:my-common-library:1.0.0
|    +--- org.hibernate.validator:hibernate-validator:7.0.2.Final -> 6.2.0.Final (*)
|    +--- org.glassfish:jakarta.el:4.0.1 -> 3.0.4
|    +---  jakarta.validation:jakarta.validation-api:3.0.1 -> 2.0.2

I’m assuming there is no way to have multiple versions of hibernate-validator coexist in the classpath. So this is leading me to believe that it is not a good design to put the validation implementation in the common library. But that implies that the consumers of the common library are responsible for performing the validation on the common library’s POJOs, which is also not desirable because consumers can easily forget to do this.

Any advice here?

Hibernate Validator 7.0 is for Jakarta EE 9 so with packages starting with jakarta.validation.

Most frameworks nowadays, be they Spring or Quarkus, are still using the artifacts with the javax.validation package so you should probably just use the latest 6.2.x version in your common library, instead of 7.0 and be done with it.