rocketraman commented on issue #144:
URL:
https://github.com/apache/logging-log4j-kotlin/issues/144#issuecomment-4090207780
@rturner-edjuster Thanks for the reproduction! This looks like a dependency
alignment problem.
1.5.0 transitively brings in log4j-api 2.23.1, but log4j-core 2.25.3. That
leaves the application with a mixed Log4j dependency set (api 2.23.1, core
2.25.3), which reproduces the failure:
```
$ mvn dependency:tree
[INFO] --- dependency:3.10.0:tree (default-cli) @ testapp ---
[INFO] testapp:testapp:jar:1.0-SNAPSHOT
[INFO] +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:2.3.10:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-stdlib:jar:2.3.10:compile
[INFO] | | \- org.jetbrains:annotations:jar:13.0:compile
[INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:2.3.10:compile
[INFO] +- org.apache.logging.log4j:log4j-api-kotlin:jar:1.5.0:compile
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.23.1:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.25.3:compile
```
With the BOM, maven aligns the versions of -core and -api:
```
[INFO] testapp:testapp:jar:1.0-SNAPSHOT
[INFO] +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:2.3.10:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-stdlib:jar:2.3.10:compile
[INFO] | | \- org.jetbrains:annotations:jar:13.0:compile
[INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:2.3.10:compile
[INFO] +- org.apache.logging.log4j:log4j-api-kotlin:jar:1.5.0:compile
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.25.3:compile
[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.25.3:compile
```
We *could* declare log4j-api as a `provided` dependency in this project but
I would prefer not to since its a real transitive dependency.
Maven's dependency mediation for the transitive log4j-api chooses the older
version rather than the newer. Gradle does not have the same behavior. When
declaring the core dependency at 2.25.3 *without* declaring any API dependency,
Gradle resolves the API version differently. See here that Gradle "upgrades"
the api dependency to 2.25.3 because log4j-core depends transitively on API as
well, which IMO makes more sense than Maven's decision to *downgrade* the
transitive dependency.
```
> Task :dependencyInsight
org.apache.logging.log4j:log4j-api:2.25.3
Variant apiElements:
| Attribute Name | Provided | Requested |
|------------------------------------|----------|--------------|
| org.gradle.status | release | |
| org.gradle.category | library | library |
| org.gradle.dependency.bundling | external | external |
| org.gradle.libraryelements | jar | classes |
| org.gradle.usage | java-api | java-api |
| org.gradle.jvm.environment | | standard-jvm |
| org.gradle.jvm.version | | 21 |
| org.jetbrains.kotlin.platform.type | | jvm |
Selection reasons:
- By conflict resolution: between versions 2.25.3 and 2.23.1
org.apache.logging.log4j:log4j-api:2.25.3
\--- org.apache.logging.log4j:log4j-core:2.25.3
\--- compileClasspath
org.apache.logging.log4j:log4j-api:2.23.1 -> 2.25.3
\--- org.apache.logging.log4j:log4j-api-kotlin:1.5.0
\--- compileClasspath
org.apache.logging.log4j:log4j-api-kotlin:1.5.0
Variant compile:
| Attribute Name | Provided | Requested |
|------------------------------------|----------|--------------|
| org.gradle.status | release | |
| org.gradle.category | library | library |
| org.gradle.libraryelements | jar | classes |
| org.gradle.usage | java-api | java-api |
| org.gradle.dependency.bundling | | external |
| org.gradle.jvm.environment | | standard-jvm |
| org.gradle.jvm.version | | 21 |
| org.jetbrains.kotlin.platform.type | | jvm |
org.apache.logging.log4j:log4j-api-kotlin:1.5.0
\--- compileClasspath
```
Unless there are objections I will go ahead and close this, as the simplest
solution is to tell Maven to do the right thing via the BOM.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
