Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1488: all modules depend directly on commons logging #1727

spring-issuemaster opened this Issue May 25, 2010 · 3 comments


None yet
1 participant

Tomas Vojtech (Migrated from SEC-1488) said:

Please remove commons logging dependency from all modules except of core. All modules will still be commons logging dependent and exclusion of commons logging in projects using slf4j will be simpler.

Spring framework uses same system.

Luke Taylor said:

I assume you're talking about the maven poms. The commons-logging dependency is marked as "optional" in the parent pom, so it shouldn't be included as a transitive dependency in other projects. Could you clarify exactly what the problem is please?

Tomas Vojtech said:

yes I am talking about maven poms

if I try mvn dependency:tree without exclusion in my projects pom I get
[INFO] +- org.springframework.security:org.springframework.security.config:jar:3.0.2.RELEASE:compile
[INFO] | - org.apache.commons:com.springsource.org.apache.commons.logging:jar:1.1.1:compile

mvn package packs the logging artifact in final war file

problem is that each module has defined dependency in its own pom with scope compile

Luke Taylor said:

It looks like Maven is ignoring the "optional" element in the parent pom, which is annoying. I've removed the references to commons-logging entirely, since the dependency is pulled in transitively via the spring-core dependency anyway, and we always require that. We will probably ditch the use of maven for the 3.1 release onwards, so the maven pom issue will be revisited again when that happens.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment