Hi Ralph, On Fri, 7 Jul 2023 at 19:00, Ralph Goers <ralph.go...@dslextreme.com> wrote: > ... But maybe I am worrying about nothing and most of the components won’t > ever be touched.
That is what I think will happen. Even now most of the components haven't been touched in years. > This brings up another question. The BOM POM will be referencing artifacts > that will likely have dependencies on older releases of artifacts. For > example, if log4j-jdbc hasn’t been released in a while it likely will be > referencing an older release of log4j-core. The only way to fix that is by > releasing everything that has a dependency on log4j-core at the same time as > log4j-core. In that case we would be better off leaving things as they are. The way I see it, the role of the BOM will be to update/overwrite the dependencies of an old `log4j-jdbc` to prove that it is compatible with a more recent `log4j-core` release. I don't feel the need to release an artifact just because one of its dependencies was updated. Piotr
