> On Jul 7, 2023, at 12:07 PM, Piotr P. Karwasz <piotr.karw...@gmail.com> wrote:
>
> Hi Ralph,
>
> On Fri, 7 Jul 2023 at 19:00, Ralph Goers <ralph.go...@dslextreme.com> wrote:
>> ... But maybe I am worrying about nothing and most of the components won’t
>> ever be touched.
>
> That is what I think will happen. Even now most of the components
> haven't been touched in years.
>
>> This brings up another question. The BOM POM will be referencing artifacts
>> that will likely have dependencies on older releases of artifacts. For
>> example, if log4j-jdbc hasn’t been released in a while it likely will be
>> referencing an older release of log4j-core. The only way to fix that is by
>> releasing everything that has a dependency on log4j-core at the same time as
>> log4j-core. In that case we would be better off leaving things as they are.
>
> The way I see it, the role of the BOM will be to update/overwrite the
> dependencies of an old `log4j-jdbc` to prove that it is compatible
> with a more recent `log4j-core` release. I don't feel the need to
> release an artifact just because one of its dependencies was updated.
I tend to agree with that, but I am quite confident that we are going to get
issues about it. Ideally, each project should use the BOM POM to bring in all
its Log4j dependency versions. Hopefully, that should cause all the
dependencies to reference whatever version is in the BOM that is included. But
I don’t know what will happen if multiple projects are importing the BOM.
Ralph
