wilkinsona opened a new issue, #3066: URL: https://github.com/apache/logging-log4j2/issues/3066
## Description `log4j-bom` inherits from `logging-parent`. Unfortunately, this results in `log4j-bom` managing a number of dependencies that are unrelated to a consumer's use of Log4j2. Those dependencies are: - `biz.aQute.bnd:biz.aQute.bnd.annotation:7.0.0` - `com.github.spotbugs:spotbugs-annotations:4.8.6` - `org.jspecify:jspecify:1.0.0` - `org.osgi:osgi.annotation:8.1.0` - `org.osgi:org.osgi.annotation.bundle:2.0.0` - `org.osgi:org.osgi.annotation.versioning:1.1.2` `org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1` is also being managed but this is inherited from the `org.apache:apache` pom and has already been [reported](https://github.com/apache/maven-apache-parent/issues/265) and, pending an upgrade to use the new parent, [fixed](https://github.com/apache/maven-apache-parent/pull/266). This unwanted dependency management can conflict with a user's own dependency management for those dependencies. Depending on how that dependency management is configured, it may override it leaving a consumer using an unexpected version of a dependency. ## Configuration **Version:** 2.21.0 and later. The list of dependencies above is from 2.24.1. **Operating system:** Any **JDK:** Any ## Logs N/A ## Reproduction Run `mvn help:effective-pom` in a project with the following `pom.xml`: ```xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd";> <modelVersion>4.0.0</modelVersion> <groupId>com.example</groupId> <artifactId>log4j-bom-problem</artifactId> <version>0.0.1-SNAPSHOT</version> <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-bom</artifactId> <version>2.24.1</version> <scope>import</scope> <type>pom</type> </dependency> </dependencies> </dependencyManagement> </project> ``` The output will show a number of managed dependencies that aren't in the `org.apache.logging.log4j` group. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
