You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tinkerpop.apache.org by GitBox <gi...@apache.org> on 2022/06/01 22:34:34 UTC

[GitHub] [tinkerpop] simonz-bq commented on pull request #1674: Bump logback version to 1.2.9 or greater

simonz-bq commented on PR #1674:
URL: https://github.com/apache/tinkerpop/pull/1674#issuecomment-1144209875

   > logback version is defined in the root pom.xml in `<dependencyManagement>`:
   > 
   > https://github.com/apache/tinkerpop/blob/master/pom.xml#L822-L826
   > 
   > as a result, i don't think you need to add the `<version>` to all the pom.xml individually.
   
   The Tinkerpop pom.xml is complex so I can't say with certainty if it's necessary.
   
   My thought process is that if you build using the main pom.xml, then the dependency will be grabbed based on the version specified, and therefore satisfies the dependency requirement of the individual pom.xml when those dependencies are resolved.
   
   However, if someone were to modularly use the individual maven projects as a standalone, I had a concern that then the dependency would not enforce a non-vulnerable versioning, hence why I added it.
   
   If someone can confirm that this is not an issue, then I think removing the added `<version`> to the individual pom is good.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@tinkerpop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org