Open wilkinsona opened 1 week ago
@wilkinsona, thanks so much for the report! Managed dependencies that don't belong to the o.a.l.log4j
group are indeed not wanted and should be removed. I will see what we can do about it.
Log4j inherits the BOM flattening logic from org.apache.logging:logging-parent
, which
org.apache:apache
Quoting from the above linked pom.xml
snippet:
Consider the following problem experienced in
log4j-transform-maven-plugin
:
log4j-transform-parent
depends onlog4j-transform-bom
log4j-transform-bom
depends onlogging-parent
logging-parent
containsdependencyManagement
, etc. that are used bylog4j-transform-maven-plugin
- Dependencies of
log4j-transform-maven-plugin
et al. is resolved at runtime- Though at runtime, the deployed
log4j-transform-bom
is used, which is flattened and hence doesn't have a parent!- Hence, at runtime, all
logging-parent
logic is lostTo avoid this, parents should better be kept while flattening BOMs.
In short, we decided to keep the parent since it was necessary for modules needing dependency resolution at runtime. We need to do some research on what would be the best way to approach this problem. @wilkinsona, your feedback is more than welcome.
Description
log4j-bom
inherits fromlogging-parent
. Unfortunately, this results inlog4j-bom
managing a number of dependencies that are unrelated to a consumer's use of Log4j2. Those dependencies are:biz.aQute.bnd:biz.aQute.bnd.annotation:7.0.0
com.github.spotbugs:spotbugs-annotations:4.8.6
org.jspecify:jspecify:1.0.0
org.osgi:osgi.annotation:8.1.0
org.osgi:org.osgi.annotation.bundle:2.0.0
org.osgi:org.osgi.annotation.versioning:1.1.2
org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1
is also being managed but this is inherited from theorg.apache:apache
pom and has already been reported and, pending an upgrade to use the new parent, fixed.This unwanted dependency management can conflict with a user's own dependency management for those dependencies. Depending on how that dependency management is configured, it may override it leaving a consumer using an unexpected version of a dependency.
Configuration
Version: 2.21.0 and later. The list of dependencies above is from 2.24.1.
Operating system: Any
JDK: Any
Logs
N/A
Reproduction
Run
mvn help:effective-pom
in a project with the followingpom.xml
:The output will show a number of managed dependencies that aren't in the
org.apache.logging.log4j
group.