Upon further analysis, I think this is coming in via log4j, although what is published in maven central doesn't seem to align with what Gradle is reporting when pointed at the maven staging repository. Either way doesn't seem to be a issue with shiro:
| | | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.24.3 -> 2.25.0 | | | | | | +--- org.apache.logging.log4j:log4j-api:2.25.0 | | | | | | | +--- org.jspecify:jspecify:1.0.0 | | | | | | | +--- biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0 | | | | | | | | +--- org.osgi:org.osgi.resource:1.0.0 | | | | | | | | \--- org.osgi:org.osgi.service.serviceloader:1.0.0 | | | | | | | +--- com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0 | | | | | | | +--- org.osgi:org.osgi.annotation.bundle:2.0.0 | | | | | | | | \--- org.osgi:org.osgi.annotation.versioning:1.1.2 | | | | | | | +--- org.osgi:org.osgi.annotation.versioning:1.1.2 | | | | | | | +--- com.github.spotbugs:spotbugs-annotations:4.9.3 | | | | | | | | \--- com.google.code.findbugs:jsr305:3.0.2 | | | | | | | \--- org.apache.logging.log4j:log4j-bom:2.25.0 | | | | | | | +--- org.apache.logging.log4j:log4j-bom:2.25.0 (*) | | | | | | | +--- org.apache.logging.log4j:log4j-api:2.25.0 (c) | | | | | | | +--- org.apache.logging.log4j:log4j-jcl:2.25.0 -> org.slf4j:jcl-over-slf4j:2.0.17 (c) | | | | | | | +--- org.apache.logging.log4j:log4j-jul:2.25.0 -> org.slf4j:jul-to-slf4j:2.0.17 (c) | | | | | | | \--- org.apache.logging.log4j:log4j-to-slf4j:2.25.0 (c) | | | | | | +--- org.slf4j:slf4j-api:2.0.17 | | | | | | +--- org.jspecify:jspecify:1.0.0 | | | | | | +--- biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0 (*) | | | | | | +--- com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0 | | | | | | +--- org.osgi:org.osgi.annotation.bundle:2.0.0 (*) | | | | | | +--- org.osgi:org.osgi.annotation.versioning:1.1.2 | | | | | | +--- com.github.spotbugs:spotbugs-annotations:4.9.3 (*) | | | | | | \--- org.apache.logging.log4j:log4j-bom:2.25.0 (*) On Wed, Jul 2, 2025 at 3:30 PM Craig Muchinsky <craig.muchin...@collibra.com> wrote: > > I noticed that after upgrading to the 2.0.5 release candidate, the > following additional transitive dependencies were pulled in, is that > by design? > > +biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0=compileClasspath,testCompileClasspath > +com.github.spotbugs:spotbugs-annotations:4.9.3=compileClasspath,testCompileClasspath > +org.osgi:org.osgi.annotation.bundle:2.0.0=compileClasspath,testCompileClasspath > +org.osgi:org.osgi.annotation.versioning:1.1.2=compileClasspath,testCompileClasspath > +org.osgi:org.osgi.resource:1.0.0=compileClasspath,testCompileClasspath > +org.osgi:org.osgi.service.serviceloader:1.0.0=compileClasspath,testCompileClasspath > > Best regards, > Craig M.
