Bruno Melloni <x.lo...@melloni.com> wrote: > If I understood the explanation, it seems that the spring boot starter > (parent) defaults to slf4j and that the code above removes that support while > replacing it with log4j2.
I don’t know what your goals are for this library, but I do wonder if it’s a good idea to let a library depend on Spring Boot starters. I would expect that more gets pulled in than you actually want or need, as you’ve found. Spring Boot starters are just artifacts that depend on one ore more other artifacts and are generally meant to be used by applications. Libraries typically depend on one or more those ‘lower level’ artifacts directly to explicitly define what they depend on and not pull in too much. I maintain an in-house framework based on Spring Boot myself and I’d recommend importing the spring-boot-dependencies BOM of the Spring Boot version you’re targeting with your library into your library’s <dependencyManagement> section. That will allow you to use any dependency managed by Spring Boot without having to specify its version. https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms Nils. P.S. I notice your old POM uses Log4J 2.15.0, which is vulnerable to the pretty serious Log4Shell vulnerabilities.
