Spring AI Chat Client module depends on MCP Java #5760
Description
Bug description
When using the org.springframework.ai:spring-ai-client-chat dependency in a project, I also get a transitive dependency on io.modelcontextprotocol.sdk:mcp-json-jackson3, which brings a series of dependencies like io.modelcontextprotocol.sdk:mcp-core and com.networknt:json-schema-validator that I don't need if I'm not using MCP.
Among the other things, that's a problem when CVEs are reported for MCP Java, such as CVE-2026-34237.
Environment
Spring AI 2.0.0-M4
Steps to reproduce
Add the org.springframework.ai:spring-ai-client-chat dependency to an empty Spring Boot project. This is the dependency tree:
+--- org.springframework.ai:spring-ai-client-chat:2.0.0-M4
| | | +--- org.springframework.ai:spring-ai-model:2.0.0-M4 (*)
| | | +--- io.modelcontextprotocol.sdk:mcp-json-jackson3:1.1.0
| | | | +--- io.modelcontextprotocol.sdk:mcp-core:1.1.0
| | | | | +--- org.slf4j:slf4j-api:2.0.16 -> 2.0.17
| | | | | +--- com.fasterxml.jackson.core:jackson-annotations:2.20 -> 2.21
| | | | | \--- io.projectreactor:reactor-core:3.7.0 -> 3.8.4 (*)
| | | | +--- tools.jackson.core:jackson-databind:3.0.3 -> 3.1.0 (*)
| | | | \--- com.networknt:json-schema-validator:3.0.0
| | | | +--- com.ethlo.time:itu:1.14.0
| | | | +--- tools.jackson.core:jackson-databind:3.0.3 -> 3.1.0 (*)
| | | | +--- tools.jackson.dataformat:jackson-dataformat-yaml:3.0.3 -> 3.1.0
| | | | | +--- tools.jackson.core:jackson-core:3.1.0 (*)
| | | | | +--- tools.jackson.core:jackson-databind:3.1.0 (*)
| | | | | +--- org.snakeyaml:snakeyaml-engine:3.0.1
| | | | | \--- tools.jackson:jackson-bom:3.1.0 (*)
| | | | \--- org.slf4j:slf4j-api:2.0.17
| | | +--- io.swagger.core.v3:swagger-annotations-jakarta:2.2.38
| | | +--- com.github.victools:jsonschema-module-swagger-2:5.0.0 (*)
| | | +--- io.projectreactor:reactor-core:3.8.3 -> 3.8.4 (*)
| | | +--- org.springframework:spring-context:7.0.5 -> 7.0.6 (*)
| | | +--- com.knuddels:jtokkit:1.1.0
| | | \--- com.github.victools:jsonschema-generator:5.0.0 (*)Expected behavior
I would expect any MCP support in Spring AI to be included only when explicitly importing an MCP-related dependency, such as one of the convenient Spring AI MCP starters. In particular, I expect the org.springframework.ai:spring-ai-client-chat library not to be depending on any MCP library.