I really think Cassandra should move to its own repo. We probably need 2 modules - one for Cassandra 3 and one for 4. For reference, here are the download stats for last month.
log4j-api 20818654 0.27623504 log4j-bom 20505054 0.27207401 log4j-core 10632456 0.14107814 log4j-to-slf4j 10417835 0.13823041 log4j-slf4j-impl 6187291 0.08209689 log4j-1.2-api 1677720 0.02226105 log4j-web 1307038 0.01734261 log4j-jul 1185935 0.01573573 log4j 1082051 0.01435734 log4j-jcl 557238 0.00739379 log4j-slf4j18-impl 258866 0.0034348 log4j-iostreams 200289 0.00265756 log4j-layout-template-json 169752 0.00225238 log4j-appserver 138481 0.00183745 log4j-api-scala_2.12 71156 9.44E-04 log4j-api-kotlin 22779 3.02E-04 log4j-api-scala_2.11 15613 2.07E-04 log4j-taglib 14570 1.93E-04 log4j-flume-ng 13060 1.73E-04 log4j-nosql 11705 1.55E-04 log4j-jmx-gui 11697 1.55E-04 log4j-couchdb 10391 1.38E-04 log4j-liquibase 9430 1.25E-04 log4j-spring-boot 8042 1.07E-04 log4j-api-scala_2.13 7041 9.34E-05 log4j-spring-cloud-config-client 4735 6.28E-05 log4j-jpa 3303 4.38E-05 log4j-kubernetes 2771 3.68E-05 log4j-docker 2644 3.51E-05 log4j-jpl 2376 3.15E-05 log4j-cassandra 2186 2.90E-05 log4j-mongodb3 2186 2.90E-05 log4j-osgi 1895 2.51E-05 log4j-jdbc-dbcp2 1757 2.33E-05 log4j-mongodb4 1489 1.98E-05 log4j-mongodb2 1008 1.34E-05 log4j-jakarta-web 682 9.05E-06 log4j-audit-parent 507 6.73E-06 slf4j-impl 488 6.48E-06 log4j-audit 439 5.82E-06 log4j-catalog 436 5.79E-06 log4j-catalog-api 427 5.67E-06 log4j-audit-api 422 5.60E-06 log4j-api-scala_2.10 292 3.87E-06 log4j-spring-cloud-config 186 2.47E-06 log4j-catalog-jpa 149 1.98E-06 log4j-catalog-git 147 1.95E-06 log4j12-api 135 1.79E-06 log4j-catalog-editor 128 1.70E-06 log4j-audit-war 124 1.65E-06 log4j-audit-maven-plugin 123 1.63E-06 log4j-to-jul 114 1.51E-06 log4j-core-its 98 1.30E-06 log4j-mongodb 92 1.22E-06 log4j-perf 62 8.23E-07 log4j-api-kotlin-benchmark 56 7.43E-07 log4j-api-kotlin-sample 55 7.30E-07 log4j-api-kotlin-parent 47 6.24E-07 log4j-scala 14 1.86E-07 Ralph > On Apr 26, 2022, at 5:40 PM, Matt Sicker <[email protected]> wrote: > > * Agreed on servlet API. > * Cassandra does need to be upgraded to at least 3.x, though there's > also 4.x out now with a slightly different API which might make sense > as a separate module from Cassandra 3.x support > * Felix can likely be bumped to something more recent. We could > potentially update the OSGi dependency, too, to match this, but not as > big a deal. > * There are multiple OSGi Maven plugins; it's possible that the one > we're using has fallen out of favor. I remember https://bndtools.org > being one of the sort of canonical OSGi build tools project, and > there's a Maven plugin for it. > > On Mon, Apr 25, 2022 at 2:20 PM Piotr P. Karwasz > <[email protected]> wrote: >> >> Hello, >> >> Dependabot has reached the maximum number of PRs allowed by its >> configuration, so I believe it is spring cleaning time. >> >> Some actions are no brainers: >> >> * `javax.servlet-api` (https://github.com/apache/logging-log4j2/pull/803) >> should stay at 3.0, since we don't use features from higher version, >> * `cassandra-all` 2.2.8 (https://github.com/apache/logging-log4j2/pull/817) >> is unsupported and has 2 vulnerabilities. We should switch to 3.0.26, >> although this requires some code changes. Do we need to do it before 2.18.0? >> >> Other 'bumps' require IMHO some discussion: >> >> * `org.apache.felix.framework` is used only for testing. Should we switch >> to a newer version? >> * `maven-bundle-plugin`: documentation seems to be stuck at 4.2.1, while >> the implementation reached 5.1.4. Do we need to upgrade? >> >> Piotr
