From e12bb7b5de2ae719e6f692f05a02fee8d7fef8da Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <andy.wilkinson@broadcom.com>
Date: Tue, 22 Jul 2025 14:30:43 +0100
Subject: [PATCH] Library upgrade policy should not reduce bom's policy

Library-specific upgrade policies were added to allow a dependency
to have a less strict upgrade policy, for example so that a new
minor upgrade could be applied in a maintenance release. As
currently implemented, a library-specific policy that's more
restrictive than the bom's policy may result in a possibl upgrade
being missed.

This commit updates the library-specific support to use the
maximum (most permissive) upgrade policy so that possible upgrades
are not hidden by a less permissive library-specific policy.

See gh-46369
---
 .../springframework/boot/build/bom/UpgradePolicy.java  | 10 ++++++++++
 .../boot/build/bom/bomr/UpgradeDependencies.java       |  7 +++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/buildSrc/src/main/java/org/springframework/boot/build/bom/UpgradePolicy.java b/buildSrc/src/main/java/org/springframework/boot/build/bom/UpgradePolicy.java
index 6296d6e8b6f..fff41fd3ea0 100644
--- a/buildSrc/src/main/java/org/springframework/boot/build/bom/UpgradePolicy.java
+++ b/buildSrc/src/main/java/org/springframework/boot/build/bom/UpgradePolicy.java
@@ -53,4 +53,14 @@ public enum UpgradePolicy implements BiPredicate<DependencyVersion, DependencyVe
 		return this.delegate.test(candidate, current);
 	}
 
+	public static UpgradePolicy max(UpgradePolicy one, UpgradePolicy two) {
+		if (one == null && two != null) {
+			return two;
+		}
+		else if (one != null && two == null) {
+			return one;
+		}
+		return (one.ordinal() < two.ordinal()) ? one : two;
+	}
+
 }
diff --git a/buildSrc/src/main/java/org/springframework/boot/build/bom/bomr/UpgradeDependencies.java b/buildSrc/src/main/java/org/springframework/boot/build/bom/bomr/UpgradeDependencies.java
index c94fe7f51d1..fafe429f20f 100644
--- a/buildSrc/src/main/java/org/springframework/boot/build/bom/bomr/UpgradeDependencies.java
+++ b/buildSrc/src/main/java/org/springframework/boot/build/bom/bomr/UpgradeDependencies.java
@@ -265,10 +265,9 @@ public abstract class UpgradeDependencies extends DefaultTask {
 	}
 
 	private boolean compliesWithUpgradePolicy(Library library, DependencyVersion candidate) {
-		UpgradePolicy upgradePolicy = library.getUpgradePolicy();
-		if (upgradePolicy == null) {
-			upgradePolicy = this.bom.getUpgrade().getPolicy();
-		}
+		UpgradePolicy libraryPolicy = library.getUpgradePolicy();
+		UpgradePolicy bomPolicy = this.bom.getUpgrade().getPolicy();
+		UpgradePolicy upgradePolicy = UpgradePolicy.max(libraryPolicy, bomPolicy);
 		return upgradePolicy.test(candidate, library.getVersion().getVersion());
 	}