log4j-bom contains unrelated dependencies

[idelpivnitskiy]

log4j-bom is used to manage versions of different log4j-* artifacts. However, if you look at how "Managed Dependencies" section is parsed by Maven for the latest log4j-bom:2.24.3, you can see that it finds 36 dependencies instead of 28 that are listed inside the log4j-bom's pom file. This happens because log4j-bom depends on logging-parent, and parent's pom.xml also has dependencyManagement section that contains those extra 8 dependencies.

This is not a mvnrepository.com UI bug, this behavior was discovered in a Gradle project. After adding log4j-bom, it started to affect not only org.apache.logging.log4j modules, but those other 8 dependencies as well.

Expected behavior: log4j-bom manages only org.apache.logging.log4j dependencies.

Consider either removing reference to logging-parent from log4j-bom or removing dependencyManagement section from logging-parent.

Example of a correct BOM: https://mvnrepository.com/artifact/org.slf4j/slf4j-bom/2.0.17

[vy]

@idelpivnitskiy, thanks for taking to time to report. AFAIU, this issue is a duplicate of #3066 and has already been fixed. The fix will be released with the next Log4j version 2.25.0.