Hi, Given the recent series of Dependabot proposals I was wondering what are the baselines In Log4j2 for Java EE and OSGI technologies. We don't really use them extensively, so we can tell Dependabot to stay at an older version and don't propose any upgrades.
Given the cheat sheet at: https://www.oracle.com/java/technologies/javaee/javaeetechnologies.html <https://www.oracle.com/java/technologies/javaee/javaeetechnologies.html#javaee5> we are using: * from Java EE 5: the Server Pages API, * from Java EE 6: the Servlet API, Message Service API * from Java EE 8: the Mail API, Persistence API Maybe we should use a single version? For reference Tomcat stopped supporting the 7.0 series (Java EE 6) last year, while the 8.5 (Java EE 7) and 9.0 (Java/Jakarta EE 8) are still supported. The `log4j-web` artifact uses Servlet 3.0 (Java EE 6) features, so we can not set the baseline lower than that. What do you think about setting the baseline to Java EE 8 (or use the Jakarta EE 8 artifacts) for the 2.x series and Jakarta EE 9 for the 3.x series? Another question is the OSGI baseline. I don't know what are the current version distribution of OSGI servers, but looking at PAX Logging: * the 1.10.x series (May 2017-current) is using OSGI 4.3 and our 2.12.x series, * the 1.11.x series (July 2019-current) is using OSGI 6.0 and our current 2.x version, * the 2.x series (January 2020-current) is using OSGI 7.0 and our current 2.x version. Therefore my proposal would be to use OSGI 6.0 for the 2.x series (Matt just upgraded it) and OSGI 7.0 for the 3.x series. Piotr
