idelpivnitskiy opened a new issue, #3692: URL: https://github.com/apache/logging-log4j2/issues/3692
log4j-bom is used to manage versions of different `log4j-*` artifacts. However, if you look at how "Managed Dependencies" section is parsed by Maven for the latest [log4j-bom:2.24.3](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-bom/2.24.3), you can see that it finds 36 dependencies instead of 28 that are listed inside the log4j-bom's [pom file](https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-bom/2.24.3/log4j-bom-2.24.3.pom). This happens because `log4j-bom` depends on `logging-parent`, and [parent's pom.xml](https://repo1.maven.org/maven2/org/apache/logging/logging-parent/11.0.0/logging-parent-11.0.0.pom) also has `dependencyManagement` section that contains those extra 8 dependencies. This is not a mvnrepository.com UI bug, this behavior was discovered in a Gradle project. After adding `log4j-bom`, it started to affect not only `org.apache.logging.log4j` modules, but those other 8 dependencies as well. Expected behavior: `log4j-bom` manages only `org.apache.logging.log4j` dependencies. Consider either removing reference to `logging-parent` from `log4j-bom` or removing `dependencyManagement` section from `logging-parent`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
