ppkarwasz commented on issue #1494: URL: https://github.com/apache/logging-log4j2/issues/1494#issuecomment-1569480597
Hi @askoog, Dependency convergence is rather a myth every project would like to have instead than a real goal. As you can see `maven-core` itself depends on different versions of the same artifact. If you can propose an algorithm to achieve dependency convergence, I am all in. Fixing the versions of transitive dependencies in our parent POM is **not** a viable solution (we force our dependencies to work with libraries they were never tested with). We do it to pass the [`RequireUpperBoundDeps` enforcer rule](https://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html), but I wouldn't go as far as to enforce dependency convergence, especially on test artifacts. Since more and more projects on Github use [Dependabot](https://github.com/dependabot) these days, you should open a feature request with them. They are probably one of the few entities that can coordinate a dependency convergence effort in such a way that: * newer versions are preferred over older ones (end user applications should have deps more recent than 4 years, so upstream libraries like Log4j should probably have deps more recent than 1 year), * Dependabot suggestions take into account not only the release date of a library, but the usage of the version in other projects. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
