Description

log4j-bom inherits from logging-parent. Unfortunately, this results in log4j-bom managing a number of dependencies that are unrelated to a consumer's use of Log4j2. Those dependencies are:

• biz.aQute.bnd:biz.aQute.bnd.annotation:7.0.0
• com.github.spotbugs:spotbugs-annotations:4.8.6
• org.jspecify:jspecify:1.0.0
• org.osgi:osgi.annotation:8.1.0
• org.osgi:org.osgi.annotation.bundle:2.0.0
• org.osgi:org.osgi.annotation.versioning:1.1.2

org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1 is also being managed but this is inherited from the org.apache:apache pom and has already been reported and, pending an upgrade to use the new parent, fixed.

This unwanted dependency management can conflict with a user's own dependency management for those dependencies. Depending on how that dependency management is configured, it may override it leaving a consumer using an unexpected version of a dependency.

Configuration

Version: 2.21.0 and later. The list of dependencies above is from 2.24.1.

Operating system: Any

JDK: Any

Logs

N/A

Reproduction

Run mvn help:effective-pom in a project with the following pom.xml:

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">	<modelVersion>4.0.0</modelVersion>	<groupId>com.example</groupId>	<artifactId>log4j-bom-problem</artifactId>	<version>0.0.1-SNAPSHOT</version>	<dependencyManagement>	<dependencies>	<dependency>	<groupId>org.apache.logging.log4j</groupId>	<artifactId>log4j-bom</artifactId>	<version>2.24.1</version>	<scope>import</scope>	<type>pom</type>	</dependency>	</dependencies>	</dependencyManagement> </project>

The output will show a number of managed dependencies that aren't in the org.apache.logging.log4j group.