xzel23 commented on issue #3196: URL: https://github.com/apache/logging-log4j2/issues/3196#issuecomment-2477975759
@ppkarwasz Thank you for your reply. So I think it's really not as bad as it seemed at first. > Unfortunately this is not what Maven's conflict resolution does, that's why we encourage people to use log4j-bom for dependency management. It is the first step in [our installation guide](https://logging.apache.org/log4j/2.x/manual/installation.html#bom). And that's one thing I like about Gradle, because they use another resolution strategy that I think works better in most cases. > SLF4J suffers from the same problems, without the additional help of semantic versioning. For example SLF4J 2.0.10 introduced a new [Reporter](https://www.slf4j.org/api/org/slf4j/helpers/Reporter.html) helper class. Every Logback version that uses this class is no longer compatible with SLF4J 2.0.9! Of course when you actually use a new feature that wasn't there before, you will probably need an implementation that's at least that version. But if you only upgrade the dependency without further changes to the code, it should not break. I think we all update versions when the used version has a CVE reported. If it's not possible, it should be noted in the release notes and a patch version of the old version should be released. The bug is annoying, but at least I am relieved to see that you and the team are aware and hopefully we won't see less of such problems. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
