1

When using the maven-dependency-plugin version 3.3.0, it's downloading log4j 1.2.12 as a dependency, which is causing security concerns. Version 3.3.0 is the latest version of the plugin. Is there a way to disable this dependency?

        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-dependency-plugin</artifactId>
            <version>3.3.0</version>
            <executions>
                <execution>
                    <id>copy-dependencies</id>
                    <phase>package</phase>
                    <goals>
                        <goal>copy-dependencies</goal>
                    </goals>
                    <configuration>...</configuration>
                </execution>
            </executions>
        </plugin>
Matt Houser
  • 11
  • 1
  • 1
    an option could be to add the dependency in the pom with a newer version, in order to overwrite the oldest dependency with the new version. Or try to read this https://stackoverflow.com/questions/6028534/how-to-exclude-dependency-in-a-maven-plugin – Lako12 Oct 05 '22 at 18:56
  • Hi & WelcomeI think it comes down to this (2011) question: [How to exclude dependency in a Maven plugin?](https://stackoverflow.com/q/6028534/592355) – xerx593 Oct 05 '22 at 18:59
  • ..but conclusion is: you can't! You can: try/hope to upgrade it ;( – xerx593 Oct 05 '22 at 19:03
  • Unfortunately, version 3.3.0 is the latest version. – Matt Houser Oct 05 '22 at 19:12
  • 2
    I have strong doubts about that maven-dependency-plugin is downloading log4j as a dependency on it's own.. please show the full pom file and the full log file during the build...second I would question the usage of "copy-dependencies" during a maven build? The next important question is: which version of Maven do you use? Also a full example project which shows the behaviour would be helpful – khmarbaise Oct 05 '22 at 19:20

0 Answers0