Share your thoughts in the 2024 State of Clojure Survey!

Welcome! Please see the About page for a little more info on how this works.

–1 vote
in java.data by

I see you've upgraded the log4j dependency in the clojure/tools.logging.
Would do the same also for the clojure/java.data please? So that (among others) the seancorfield/next-jdbc which plenty of projects depend on can be upgraded too?
Thank you in advance

3 Answers

0 votes
by

tools.logging and java.data don't depend on log4j themselves but can be used with it if you add the dependency.

tools.logging was updated to use the new version for tests, but that wasn't strictly important as a user. Similarly, java.data does not depend on log4j or need to be updated.

by
I'm releasing java.data with an update to latest tools.logging to 1.0.95 (but note that this will not change any log4j dependencies as it is only a test dependency of tools.logging).
0 votes
by

org.clojure/java.data do not add log4j in your dependencies.

you can check it by run this command:

clj -Srepro -Sdeps '{:deps {org.clojure/java.data {:mvn/version "1.0.95"}}}' -Stree

org.clojure/clojure 1.10.3
  . org.clojure/spec.alpha 0.2.194
  . org.clojure/core.specs.alpha 0.2.56
org.clojure/java.data 1.0.95
  . org.clojure/tools.logging 1.2.1

As Alex explained, neither data.java or tools.logging depend on log4j

You can confirm this both on the code

https://github.com/clojure/tools.logging/blob/tools.logging-1.1.0/pom.xml#L31

(listed just on test scope, that do not include in the classpath when used as library)

And on maven metadata (again, listed just for test dep)

https://mvnrepository.com/artifact/org.clojure/tools.logging/1.1.0

by
edited by
Edit: reposting as an answer
0 votes
by

Aaah, I see. Just for the record, how I came to my wrong conclusion:

I deleted the log4j from my maven repository:

rm -rf ~/.m2/repository/org/apache/logging/log4j/

Ran my build:

$ clojure -X:depstar uberjar :jar target/foo.jar
Downloading: org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom from central
Downloading: org/apache/logging/log4j/log4j/2.14.1/log4j-2.14.1.pom from central
Downloading: org/apache/logging/logging-parent/3/logging-parent-3.pom from central
Downloading: org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.pom from central
Downloading: org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar from central
Downloading: org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar from central
...

And wondered why it downloads log4j?

And then I saw the update log4j again commit from Alex in the clojure/tools.logging
https://github.com/clojure/tools.logging/commit/8e8f899c00d79b03a7f5a3a83e52433d689feaf7
, (payed no attention to pom.xml) and missed that it's only in the dev profile of the project.clj, since it's higher up in the file and does not(!) get listed in the additions/deletions listing on github..

And now after being corrected I see that it's the build dependency on depstar in my deps.edn:

:aliases
 {:depstar
  {:replace-deps
   {com.github.seancorfield/depstar {:mvn/version "2.1.303"}}
   :ns-default hf.depstar
   :exec-args {}}}

which depends on log4j.

Thanks guys for helping me out.

Edit: formatting

by
depstar has been archived and I've been asking people to move to tools.build for three months now:

https://github.com/seancorfield/depstar#use-toolsbuild
by
Oh, for that matter, I basically copy-pasted the alias from John's
https://github.com/practicalli/clojure-deps-edn/blob/live/deps.edn ... and that has been doing what I need. Update it and... job done, moving on.

And now, when and I read your README.md I can't find any "deprecated, use tools.build instead"... hmm.

Edit: Oh wait, there's something about that deeper in the text, in the 3rd paragraph. Sorry.
by
LOL! That whole section is called "Use tools.build" :) And then it explains why.
...