lukecwik commented on a change in pull request #15098:
URL: https://github.com/apache/beam/pull/15098#discussion_r662474738
##########
File path:
buildSrc/src/main/groovy/org/apache/beam/gradle/GrpcVendoring_1_36_0.groovy
##########
@@ -70,7 +70,6 @@ class GrpcVendoring_1_36_0 {
return [
'com.google.errorprone:error_prone_annotations:2.4.0',
'commons-logging:commons-logging:1.2',
- 'org.apache.logging.log4j:log4j-api:2.6.2',
Review comment:
I don't think this is what we wanted to do.
The idea has always been to have the vendored libraries expose some runtime
deps as not everything should be relocated (e.g. logging shouldn't be relocated
otherwise we lose logging from the relocated code). We should have just bumped
the version to something that doesn't have the security issue and is compatible
with the 2.6.2 version.
Ditto on the exclusions, we specifically keep them to prevent relocating
logging stuff and other libs that can't be relocated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
