[
https://issues.apache.org/jira/browse/MJAVADOC-724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17578864#comment-17578864
]
Yogesh Desai commented on MJAVADOC-724:
---------------------------------------
Sorry Michael if I misunderstood your question. The log4j/log4j-1.2.12 folder
and it’s artefacts gets created in our local maven repository upon maven update
in eclipse IDE or command line. In my case the local maven repo is
C:/User/Yogesh/.m2
> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
> Key: MJAVADOC-724
> URL: https://issues.apache.org/jira/browse/MJAVADOC-724
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: jar, javadoc
> Environment: Windows 10
> Reporter: Yogesh Desai
> Priority: Major
> Labels: Vulnerability
> Fix For: wontfix-candidate, waiting-for-feedback
>
>
> I have observed that Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12
> dependency transitively in .m2 folder. Since Log4j-1.X is strictly prohibited
> for use in many organisations, we had no other option that not using the
> plugin. Please plan to fix this issue and get rid of the log4j-1.X
> dependency. Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
