Thanks for getting to the bottom of this Craig.
> On Jul 2, 2025, at 4:12 PM, Craig Muchinsky via user <user@shiro.apache.org>
> wrote:
>
> In case anybody else stumbles upon this, its caused by
> https://github.com/apache/logging-log4j2/commit/afa773a1ff2c9e773dd8e0745eead24b9c3ec32a,
> and appears to be by design
>
> On Wed, Jul 2, 2025 at 4:41 PM Craig Muchinsky
> <craig.muchin...@collibra.com> wrote:
>>
>> Upon further analysis, I think this is coming in via log4j, although
>> what is published in maven central doesn't seem to align with what
>> Gradle is reporting when pointed at the maven staging repository.
>> Either way doesn't seem to be a issue with shiro:
>>
>> | | | | | +---
>> org.apache.logging.log4j:log4j-to-slf4j:2.24.3 -> 2.25.0
>> | | | | | | +--- org.apache.logging.log4j:log4j-api:2.25.0
>> | | | | | | | +--- org.jspecify:jspecify:1.0.0
>> | | | | | | | +---
>> biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0
>> | | | | | | | | +--- org.osgi:org.osgi.resource:1.0.0
>> | | | | | | | | \---
>> org.osgi:org.osgi.service.serviceloader:1.0.0
>> | | | | | | | +---
>> com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0
>> | | | | | | | +---
>> org.osgi:org.osgi.annotation.bundle:2.0.0
>> | | | | | | | | \---
>> org.osgi:org.osgi.annotation.versioning:1.1.2
>> | | | | | | | +---
>> org.osgi:org.osgi.annotation.versioning:1.1.2
>> | | | | | | | +---
>> com.github.spotbugs:spotbugs-annotations:4.9.3
>> | | | | | | | | \---
>> com.google.code.findbugs:jsr305:3.0.2
>> | | | | | | | \---
>> org.apache.logging.log4j:log4j-bom:2.25.0
>> | | | | | | | +---
>> org.apache.logging.log4j:log4j-bom:2.25.0 (*)
>> | | | | | | | +---
>> org.apache.logging.log4j:log4j-api:2.25.0 (c)
>> | | | | | | | +---
>> org.apache.logging.log4j:log4j-jcl:2.25.0 ->
>> org.slf4j:jcl-over-slf4j:2.0.17 (c)
>> | | | | | | | +---
>> org.apache.logging.log4j:log4j-jul:2.25.0 ->
>> org.slf4j:jul-to-slf4j:2.0.17 (c)
>> | | | | | | | \---
>> org.apache.logging.log4j:log4j-to-slf4j:2.25.0 (c)
>> | | | | | | +--- org.slf4j:slf4j-api:2.0.17
>> | | | | | | +--- org.jspecify:jspecify:1.0.0
>> | | | | | | +---
>> biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0 (*)
>> | | | | | | +---
>> com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0
>> | | | | | | +--- org.osgi:org.osgi.annotation.bundle:2.0.0
>> (*)
>> | | | | | | +---
>> org.osgi:org.osgi.annotation.versioning:1.1.2
>> | | | | | | +---
>> com.github.spotbugs:spotbugs-annotations:4.9.3 (*)
>> | | | | | | \--- org.apache.logging.log4j:log4j-bom:2.25.0
>> (*)
>>
>> On Wed, Jul 2, 2025 at 3:30 PM Craig Muchinsky
>> <craig.muchin...@collibra.com> wrote:
>>>
>>> I noticed that after upgrading to the 2.0.5 release candidate, the
>>> following additional transitive dependencies were pulled in, is that
>>> by design?
>>>
>>> +biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0=compileClasspath,testCompileClasspath
>>> +com.github.spotbugs:spotbugs-annotations:4.9.3=compileClasspath,testCompileClasspath
>>> +org.osgi:org.osgi.annotation.bundle:2.0.0=compileClasspath,testCompileClasspath
>>> +org.osgi:org.osgi.annotation.versioning:1.1.2=compileClasspath,testCompileClasspath
>>> +org.osgi:org.osgi.resource:1.0.0=compileClasspath,testCompileClasspath
>>> +org.osgi:org.osgi.service.serviceloader:1.0.0=compileClasspath,testCompileClasspath
>>>
>>> Best regards,
>>> Craig M.
>
