[英]Update version of child dependency in pom.xml
In my spring boot application, I'm using log4j2
.在我的 spring 引导应用程序中,我使用的是
log4j2
。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
Which is by default picking up version -默认情况下选择版本 -
<version>2.1.6.RELEASE</version>
This version of log4j2
internally uses log4j
:此版本的
log4j2
内部使用log4j
:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.2</version>
<scope>compile</scope>
</dependency>
Recently it has been announced - log4j has some serious vulnerabilities till version 2.16
.最近宣布 - log4j 在
2.16
版本之前存在一些严重漏洞。
Also no version of log4j2
till now uses safer version - 2.17 of log4j
.到目前为止,还没有任何版本的
log4j2
使用更安全2.17 of log4j
版本。
So I want to first try to update my pom to use 2.17
version of log4j
without changing parent log4j2
version.所以我想首先尝试更新我的 pom 以使用
2.17
版本的log4j
而不更改父log4j2
版本。
I know it might not work & might give compilation issues, but I still want to try it first.我知道它可能不起作用并且可能会出现编译问题,但我仍然想先尝试一下。
How can I do that?我怎样才能做到这一点?
You can use <dependencyManagement>
:您可以使用
<dependencyManagement>
:
<dependencyManagement>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>[2.17.0,)</version>
</dependency>
</dependencyManagement>
This configures the dependency log4j-core
(if it exists) to use version 2.17 or later (see Version Range References ).这会将依赖
log4j-core
(如果存在)配置为使用 2.17 或更高版本(请参阅版本范围参考)。
Put the dependencyManagement
section next to your dependencies
section.将
dependencyManagement
部分放在您的dependencies
项部分旁边。
I would suggest to define log4j via bom file like this:我建议通过 bom 文件定义 log4j,如下所示:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.