log4j in the classpath

[dbyron0]

Not a problem with version 1.7.2, but 1.7.3 and 1.8.0 bring in org.rnorth:tcp-unix-socket-proxy:1.0.2 which indirectly drags in log4j. Here's how (via $ gradle dependencies)

     +--- org.rnorth:tcp-unix-socket-proxy:1.0.2
     |    +--- com.kohlschutter.junixsocket:junixsocket-native-common:2.0.4
     |    |    +--- com.kohlschutter.junixsocket:junixsocket-common:2.0.4
     |    |    |    \--- log4j:log4j:1.2.17
     |    |    +--- org.scijava:native-lib-loader:2.0.2
     |    |    \--- log4j:log4j:1.2.17
     |    +--- com.kohlschutter.junixsocket:junixsocket-common:2.0.4 (*)

junixsocket has already fixed the problem here, but I'm pretty sure no version 2.0.5 has been released. I asked awhile ago, but no dice.

This creates a classpath conflict for me because slf4j (really log4j-over-slf4j) and log4j both contain e.g. org/apache/log4j/Appender.class.

I can exclude log4j myself but here maybe might be better because we use slf4j here.

[rnorth]

Hmm, I went to exclude this and saw that there's already an exclusion... 🤔

    compile ('org.rnorth:tcp-unix-socket-proxy:1.0.2') {
        exclude(group: "log4j", module: "log4j")
    }

(in core/build.gradle)

Will investigate...

[kiview]

When I'm running ./gradlew :testcontainers:dependencies everything looks fine btw.:

+--- org.rnorth:tcp-unix-socket-proxy:1.0.2
|    +--- com.kohlschutter.junixsocket:junixsocket-native-common:2.0.4
|    |    +--- com.kohlschutter.junixsocket:junixsocket-common:2.0.4
|    |    \--- org.scijava:native-lib-loader:2.0.2
|    +--- com.kohlschutter.junixsocket:junixsocket-common:2.0.4
|    \--- org.slf4j:slf4j-api:1.7.21 -> 1.7.25

[dbyron0]

I think the struggle is that the published pom (e.g. http://central.maven.org/maven2/org/testcontainers/testcontainers/1.8.0/testcontainers-1.8.0.pom) doesn't exclude it. I see the same thing in ~/.m2/repositories when I run: $ ./gradlew testcontainers:publishToMavenLocal (though the version there shows up as unspecified...different issue).

I think the struggle is in the custom way the pom gets built....here. This doesn't take into account the exclusions. Changing to a configuration-wide exclusion:

configurations {
    compile.exclude group: 'log4j', module: 'log4j'
}

didn't help.

I took a crack at the more vanilla way of building a pom (by specifying from components.java as the docs say, and commenting out the code that adds dependencies to the xml directly), and the exclusions show up in the pom, but it's messy.

[bsideup]

Yes, we will need to handle the exclusion of public deps, thanks for reporting! I

…

On Fri, 22 Jun 2018 at 18:49, David Byron ***@***.***> wrote: I think the struggle is that the published pom (e.g. http://central.maven.org/maven2/org/testcontainers/testcontainers/1.8.0/testcontainers-1.8.0.pom) doesn't exclude it. I see the same thing in ~/.m2/repositories when I run: $ ./gradlew testcontainers:publishToMavenLocal (though the version there shows up as unspecified...different issue). I think the struggle is in the custom way the pom gets built....here <https://github.com/testcontainers/testcontainers-java/blob/master/gradle/publishing.gradle#L64>. This doesn't take into account the exclusions. Changing to a configuration-wide exclusion: configurations { compile.exclude group: 'log4j', module: 'log4j' } didn't help. I took a crack at the more vanilla way of building a pom (by specifying from components.java as the docs <https://docs.gradle.org/current/userguide/publishing_maven.html#sec:publishing_component_to_maven> say, and commenting out the code that adds dependencies to the xml directly), and the exclusions show up in the pom, but it's messy. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#753 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABAIiiX6N1CULM3ClLt-dCyfBhofkDmMks5t_SAngaJpZM4Uou1N> .

[dbyron0]

There's been a lot of activity on the gradle side around publishing...It's likely worth upgrading to 4.8.1 at least for https://docs.gradle.org/4.8/release-notes.html#customizing-the-generated-pom, though I don't see a silver bullet for this issue.

[rnorth]

Released in 1.8.1! 🎉