On Mon, 12 Sept 2022 at 09:11, Piotr P. Karwasz <[email protected]> wrote:
> It would be also nice to synchronise the `pom.xml` of `release-2.x`
> and `master`. Since the main `pom.xml` has about a hundred
> dependencies, what do you think about normalizing them by:
>
> * using BOMs if available (e.g. Jackson),
> * removing the scope from `<dependencyManagement>`: this way there
> will be no difference between BOMs and explicit dependencies. It's
> more verbose, but we won't risk having JUnit in the compile scope.
> * removing exclusions from `<dependencyManagement>`: AFAIK they are
> ignored by Maven. Or we can keep the exclusions as a template for the
> projects.
> * adding a property in the main pom.xml for *each* dependency used
> (e.g. even `slf4j-api:2.0.0` used in a single module). A convention on
> how to name these properties would be nice too...
> * sorting dependencies by scope (provided > compile > runtime >
> test), artifactId and groupId.
I finished moving things around. All the dependencies of the published
artifacts are in the `log4j` POM and versions are specified through
properties, so that they can be overridden in single modules. Of
course `log4j-bom` and `log4j-distribution` need to deal with their
dependencies independently (unless we add artifacts with `sources` and
`javadoc` classifiers to `log4j-bom`).
Two XSLT's in `src/tools` allow to sort the POMs and list all the
plugin and dependency versions that are explicitly provided. Excluding
the aforementioned `log4j`, `log4j-bom` and `log4j-distribution`,
these are the results of running `src/tools/explicit-version.xslt` on
all POMs (the comments are mine):
Artifact:log4j-cassandra
Version related properties:
guava.version = 25.1-jre // still vulnerable to CVE-2020-8908, but
Cassandra does not work with newer versions
Artifact:log4j-jpl
Version related properties:
surefire.version = 2.13 // to use 3.x we need to run Maven on JDK 9+
Artifact:log4j-jul
Dependencies for plugin maven-surefire-plugin:
org.apache.maven.surefire:surefire-junit47:${surefire.version} //
`surefire-platform` initializes JUL before our tests can do it
Artifact:log4j-mongodb3
Version related properties:
mongodb.version = 3.12.11 // override of the default 4.5
Artifact:log4j-osgi
Project dependencies:
org.apache.logging.log4j.samples:log4j-samples-configuration:${project.version}
Artifact:log4j-perf
Dependencies for plugin maven-shade-plugin:
com.github.edwgiz:maven-shade-plugin.log4j2-cachefile-transformer:${log4j2-cachefile-transformer.version}
Artifact:log4j-samples
Version related properties:
maven-jetty-plugin.version = 6.1.26
spring-ws.version = 3.1.3
Dependency management:
org.apache.logging.log4j.samples:log4j-samples-flume-common:${project.version}
org.springframework.ws:spring-ws-core:${spring-ws.version}
Plugin management:
org.mortbay.jetty:maven-jetty-plugin:${maven-jetty-plugin.version}
Artifact:log4j-slf4j-impl
Version related properties:
slf4j.version = 1.7.25 // 1.7.26 has breaking changes
Artifact:log4j-spring-cloud-config-samples
Version related properties:
spring-ws.version = 3.1.3
Dependency management:
org.springframework.ws:spring-ws-core:${spring-ws.version}
Plugin management:
org.springframework.boot:spring-boot-maven-plugin:${spring-boot.version}
Artifact:log4j-spring-cloud-config
Version related properties:
spring-cloud.version = 2021.0.4
Dependency management:
org.apache.logging.log4j:log4j-bom:${project.version}:pom
org.springframework.boot:spring-boot-dependencies:${spring-boot.version}:pom
org.springframework.cloud:spring-cloud-dependencies:${spring-cloud.version}:pom
Artifact:log4j-slf4j2-impl
Version related properties:
slf4j.version = 2.0.0
Piotr
