That is interesting. TL;DR: quick workaround would be to replace `runtimev` with `apiv` for asm and groovy-all dependencies in :src:bom build script.
The long story is "it's complicated". Technically speaking "asm" is caused json-smart: compileClasspath - Compile classpath for source set 'main'. +--- net.minidev:json-smart -> 2.3 | \--- net.minidev:accessors-smart:1.2 | \--- org.ow2.asm:asm:5.0.4 It leaks "asm" dependency to a compile classpath of :src:components Technically speaking, net.minidev:json-smart should declare the dependency as "runtime" so the dependency does not accidentally leak to the compile classpath. I'm not sure what is the best way to resolve this. There are two approaches: 1) Use only `api` declarations in :src:bom. That would ensure that versions always match the ones declared in our "bill of material". The downsides are: 1.1) We would be able to add dependency like "org.ow2.asm:asm" or "org.codehaus.groovy:groovy-all" to our codebase. 1.2) We can accidentally import org.ow2.asm... because that dependency is leaked from json-smart. 2) Add exclude rules to the offending libraries. It would avoid accidental use of unwanted dependencies. However there are downsides as well: 2.1) We need to manually add exclusions 2.2) We need a way to detect the offending libraries There might be yet another approach: implement some sort of Gradle rules to automatically exclude certain libraries from the compile classpath. For instance, we could scan "bom", and automatically exclude "runtime" dependencies from compile classpath. I'm not sure how hard would it be. Vladimir
