In case anybody else stumbles upon this, its caused by https://github.com/apache/logging-log4j2/commit/afa773a1ff2c9e773dd8e0745eead24b9c3ec32a, and appears to be by design
On Wed, Jul 2, 2025 at 4:41 PM Craig Muchinsky <[email protected]> wrote: > > Upon further analysis, I think this is coming in via log4j, although > what is published in maven central doesn't seem to align with what > Gradle is reporting when pointed at the maven staging repository. > Either way doesn't seem to be a issue with shiro: > > | | | | | +--- > org.apache.logging.log4j:log4j-to-slf4j:2.24.3 -> 2.25.0 > | | | | | | +--- org.apache.logging.log4j:log4j-api:2.25.0 > | | | | | | | +--- org.jspecify:jspecify:1.0.0 > | | | | | | | +--- > biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0 > | | | | | | | | +--- org.osgi:org.osgi.resource:1.0.0 > | | | | | | | | \--- > org.osgi:org.osgi.service.serviceloader:1.0.0 > | | | | | | | +--- > com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0 > | | | | | | | +--- > org.osgi:org.osgi.annotation.bundle:2.0.0 > | | | | | | | | \--- > org.osgi:org.osgi.annotation.versioning:1.1.2 > | | | | | | | +--- > org.osgi:org.osgi.annotation.versioning:1.1.2 > | | | | | | | +--- > com.github.spotbugs:spotbugs-annotations:4.9.3 > | | | | | | | | \--- > com.google.code.findbugs:jsr305:3.0.2 > | | | | | | | \--- > org.apache.logging.log4j:log4j-bom:2.25.0 > | | | | | | | +--- > org.apache.logging.log4j:log4j-bom:2.25.0 (*) > | | | | | | | +--- > org.apache.logging.log4j:log4j-api:2.25.0 (c) > | | | | | | | +--- > org.apache.logging.log4j:log4j-jcl:2.25.0 -> > org.slf4j:jcl-over-slf4j:2.0.17 (c) > | | | | | | | +--- > org.apache.logging.log4j:log4j-jul:2.25.0 -> > org.slf4j:jul-to-slf4j:2.0.17 (c) > | | | | | | | \--- > org.apache.logging.log4j:log4j-to-slf4j:2.25.0 (c) > | | | | | | +--- org.slf4j:slf4j-api:2.0.17 > | | | | | | +--- org.jspecify:jspecify:1.0.0 > | | | | | | +--- > biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0 (*) > | | | | | | +--- > com.google.errorprone:error_prone_annotations:2.37.0 -> 2.39.0 > | | | | | | +--- org.osgi:org.osgi.annotation.bundle:2.0.0 > (*) > | | | | | | +--- > org.osgi:org.osgi.annotation.versioning:1.1.2 > | | | | | | +--- > com.github.spotbugs:spotbugs-annotations:4.9.3 (*) > | | | | | | \--- org.apache.logging.log4j:log4j-bom:2.25.0 > (*) > > On Wed, Jul 2, 2025 at 3:30 PM Craig Muchinsky > <[email protected]> wrote: > > > > I noticed that after upgrading to the 2.0.5 release candidate, the > > following additional transitive dependencies were pulled in, is that > > by design? > > > > +biz.aQute.bnd:biz.aQute.bnd.annotation:7.1.0=compileClasspath,testCompileClasspath > > +com.github.spotbugs:spotbugs-annotations:4.9.3=compileClasspath,testCompileClasspath > > +org.osgi:org.osgi.annotation.bundle:2.0.0=compileClasspath,testCompileClasspath > > +org.osgi:org.osgi.annotation.versioning:1.1.2=compileClasspath,testCompileClasspath > > +org.osgi:org.osgi.resource:1.0.0=compileClasspath,testCompileClasspath > > +org.osgi:org.osgi.service.serviceloader:1.0.0=compileClasspath,testCompileClasspath > > > > Best regards, > > Craig M.
