I specified new version of Log4J but still dependencies also show old version

Question

I have a project that uses SLF4J also SLF4J uses Log4J 1.2.17 (as a default without specify any version in pom.xml).

Hi, I want to upgrade Log4J version to 2.17.1, there is information about how to do it https://logging.apache.org/log4j/2.x/maven-artifacts.html

and I added below code to my pom.xml file

<dependencies>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-slf4j-impl</artifactId>
    <version>2.17.1</version>
  </dependency>
</dependencies>

then when I check Maven Dependecies it shows old version and new version in my project

Currently I'm confused about "did I upgrade Log4J or not". How can i be sure?

Answer 1

In your pom.xml file you need to locate your atlassian-bamboo-web and exclude log4j, with something similar to this

<dependency>
    <groupId>com.atlassian.bamboo</groupId>
    <artifactId>atlassian-bamboo-web</artifactId>
    <version>6.8.1</version>
    <exclusions>
        <exclusion>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Then, to preserve bamboo logging, you may need to follow this migration from log4j 1.x to 2.x https://logging.apache.org/log4j/2.x/manual/migration.html

You also need to add this dependency to override transitive dependency with lower version.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-to-slf4j</artifactId>
    <version>2.17.1</version>
</dependency>

Answer 2

I resolved a similar issue excluding old dependencies. Please check the "exclusion" clause here on this section and add it to your POM xml file. Maven Dependency Mechanism