log4j-bom
leaks non-Log4j dependencies
#3066
Labels
bug
Incorrect, unexpected, or unintended behavior of existing code
dependencies
Related to third party dependency updates or migrations
Description
log4j-bom
inherits fromlogging-parent
. Unfortunately, this results inlog4j-bom
managing a number of dependencies that are unrelated to a consumer's use of Log4j2. Those dependencies are:biz.aQute.bnd:biz.aQute.bnd.annotation:7.0.0
com.github.spotbugs:spotbugs-annotations:4.8.6
org.jspecify:jspecify:1.0.0
org.osgi:osgi.annotation:8.1.0
org.osgi:org.osgi.annotation.bundle:2.0.0
org.osgi:org.osgi.annotation.versioning:1.1.2
org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1
is also being managed but this is inherited from theorg.apache:apache
pom and has already been reported and, pending an upgrade to use the new parent, fixed.This unwanted dependency management can conflict with a user's own dependency management for those dependencies. Depending on how that dependency management is configured, it may override it leaving a consumer using an unexpected version of a dependency.
Configuration
Version: 2.21.0 and later. The list of dependencies above is from 2.24.1.
Operating system: Any
JDK: Any
Logs
N/A
Reproduction
Run
mvn help:effective-pom
in a project with the followingpom.xml
:The output will show a number of managed dependencies that aren't in the
org.apache.logging.log4j
group.The text was updated successfully, but these errors were encountered: