log4j-slf4j-impl 2.22.0 appears to depend on slf4j-api 2 #2065
Comments
|
Thanks for using Log4j API[1] and noticing the problem. I believe that the source of the problem might be in Coursier. We use both SLF4J 1.7.x and 2.x (for <properties>
<slf4j.api>2.0.9</slf4j.api>
</properties>
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
</dependencies>while in the <properties>
<slf4j.version>1.7.25</slf4j.version>
</properties>This way to override dependency version is supported by Maven (Spring Boot uses it extensively): Coursier might have a problem with this. You should probably report it there. [1] the problem would not have appeared if you had |
|
That override scheme makes sense in principle and has a certain elegance, but I don't think this issue is specific to Coursier, nor does including slf4j-api as a direct dependency resolve the problem. I can include ThisBuild / useCoursier := falsein the (Note that the paths now refer to the Similarly, regardless if Coursier or Ivy is used, setting: libraryDependencies ++= Seq(
"org.apache.logging.log4j" % "log4j-slf4j-impl" % "2.22.0",
"org.slf4j" % "slf4j-api" % "1.7.36",
)(such that FWIW, another workaround (other than downgrading) is to specify a dependency override: dependencyOverrides += "org.slf4j" % "slf4j-api" % "1.7.36"but it's mistake-prone to have to specify that everywhere, when we didn't have to before Is there a name for this override scheme in Maven, so I can open tickets with Ivy and Coursier so that they might add support? In the meantime, until those tools support the scheme, could log4j revert to its earlier way of specifying the slf4j-api dependency, so this downstream effect is mitigated? |
|
I don't think this scheme has a name. It is based on the fact that the "Inheritance Assembly" phase is performed before the "Model Interpolation" phase (cf. Maven Model Builder). I guess that Ivy and Coursier do it differently. To mitigate the current problem we are open to PRs. As far as I recall only |
|
@pjfanning, as the resident Scala expert, do you have an idea how to fix this issue? |
|
I haven't tested this yet. I think this should be reported to sbt team though. It sounds like the issue might be in sbt itself. https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl/2.22.0/ and its pom.xml look correct to me (slf4j 1.7 dependency) |
The easiest thing to do would be to revert #1920, but I'm not sure what other impact that would have. Otherwise, do you think it would help to add the dependency version within logging-log4j2/log4j-to-slf4j/pom.xml Lines 56 to 59 in 921073d log4j-mongodb3 too; I haven't looked at that one)?
|
|
I agree with @pjfanning's assessment. Generating the effective POM in Maven (using IDEA and/or |
|
Reverting #1920 would only move the problem from Yes, I believe that adding an explicit version to |
|
Interestingly, with org.apache.logging.log4j:log4j-slf4j-impl:2.21.1 - sbt resolves the slf4j dependency as 1.7.36 - which is ok since it's still 1.7.x. I think sbt must be getting the slf4j dependency from somewhere other than the log4j-slf4j-impl pom.xml. Maybe it gets it from something like the log4j-parent. |
That has been my guess as well, since the versions match up. v2.21.0: logging-log4j2/log4j-parent/pom.xml Line 141 in e613e9e v2.22.0: logging-log4j2/log4j-parent/pom.xml Line 141 in a1634d6 |
It's definitely a problem, but IMO a little less severe than the log4j1 artifact, because it works to specify the slf4j 2.x version (directly or transitively): libraryDependencies ++= Seq(
"org.slf4j" % "slf4j-api" % "2.0.9",
"org.apache.logging.log4j" % "log4j-slf4j2-impl" % "2.21.0",
)(i.e. it still appears as an eviction warning but the classpath ends up being right) |
Workaround a Coursier/Ivy dependency resolution bug that affects `log4j-slf4j-impl` and `log4j-mongodb3`. This bug also affects popular sites like MvnRepository (cf. [`log4j-mongodb3:2.22.0`](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-mongodb3/2.22.0)). Closes apache#2065
|
This is blocked by: |
Workaround a Coursier/Ivy dependency resolution bug that affects `log4j-slf4j-impl` and `log4j-mongodb3`. This bug also affects popular sites like MvnRepository (cf. [`log4j-mongodb3:2.22.0`](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-mongodb3/2.22.0)). Closes apache#2065
Workaround a Coursier/Ivy dependency resolution bug that affects `log4j-slf4j-impl` and `log4j-mongodb3`. This bug also affects popular sites like MvnRepository (cf. [`log4j-mongodb3:2.22.0`](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-mongodb3/2.22.0)). Closes apache#2065
Workaround a Coursier/Ivy dependency resolution bug that affects `log4j-slf4j-impl` and `log4j-mongodb3`. This bug also affects popular sites like MvnRepository (cf. [`log4j-mongodb3:2.22.0`](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-mongodb3/2.22.0)). Closes apache#2065
Description
log4j-slf4j-impl 2.22.0 appears to depend on slf4j 2, and not slf4j 1 as described by the documentation.
Configuration
Version: 2.22.0
Operating system: MacOS 13.5.1
JDK: I've tried Eclipse Adoptium Java 11.0.18 and Amazon.com Inc. Java 17.0.9 but I don't think it would matter
Logs
Not applicable
Reproduction
Using the following
build.sbtfile:then run
sbt "show fullClasspath":Note the
slf4j-apiversion:2.0.9.The text was updated successfully, but these errors were encountered: