Unable to update version for provided transient dependencies

["Mitchell Rathbun (BLOOMBERG/ 731 LEX)" <mr...@bloomberg.net>]

We are currently using Storm 1.2.3, and we want to update the version of log4j2 being used. In our Maven file, we specify storm-core with version 1.2.3 and provided scope. This dependency has dependencies on log4j-api, log4j-core, slf4j-log4j-impl, etc. The provided version of these dependencies is 2.8.2. I have tried declaring the log4j dependencies in our top level pom.xml with version 2.13.2 and compile scope, and have excluded these dependencies from the storm-core dependency. Regardless, when submitting our Storm topology, we always get the issue:

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/bb/bin/package/a/apache-storm-1.2.3/1.2.3-3+b20200407T00292257/libexec/apache-storm-1.2.3/lib/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
.................

The 2.8.2 version of log4j2 is always used. So it doesn't seem like excluding provided transient dependencies is working as hoped. How can we update the transient log4j2 dependencies that are brought in with provided scope by the storm-core dependency?

Re: Unable to update version for provided transient dependencies

[Tomo Suzuki <su...@google.com.INVALID>]

Hi Mitchell,

Does your "mvn dependency:tree" contain the unwanted logging library?
If yes, that's strange. Maven does not automatically include Provided
transitive dependencies as far as I know.
If not, then it's Storm that brought the library by reading the dependency
graph in their way.



On Thu, May 28, 2020 at 1:41 PM Mitchell Rathbun (BLOOMBERG/ 731 LEX) <
mrathbun1@bloomberg.net> wrote:

> We are currently using Storm 1.2.3, and we want to update the version of
> log4j2 being used. In our Maven file, we specify storm-core with version
> 1.2.3 and provided scope. This dependency has dependencies on log4j-api,
> log4j-core, slf4j-log4j-impl, etc. The provided version of these
> dependencies is 2.8.2. I have tried declaring the log4j dependencies in our
> top level pom.xml with version 2.13.2 and compile scope, and have excluded
> these dependencies from the storm-core dependency. Regardless, when
> submitting our Storm topology, we always get the issue:
>
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/bb/bin/package/a/apache-storm-1.2.3/1.2.3-3+b20200407T00292257/libexec/apache-storm-1.2.3/lib/log4j-slf4j-impl-2.8.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> .................
>
> The 2.8.2 version of log4j2 is always used. So it doesn't seem like
> excluding provided transient dependencies is working as hoped. How can we
> update the transient log4j2 dependencies that are brought in with provided
> scope by the storm-core dependency?



-- 
Regards,
Tomo