From 3fec5a55b325c465fff1a96523b61702bdb7e28d Mon Sep 17 00:00:00 2001
From: Peter Streef
Date: Fri, 20 Dec 2024 10:27:52 +0100
Subject: [PATCH] Remove log4j from runtime classpath as it is only needed to
generate a recipe from a refaster template
This does not yet work as expected in the test
---
build.gradle.kts | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/build.gradle.kts b/build.gradle.kts
index 049a59c..9284484 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -20,6 +20,10 @@ recipeDependencies {
}
dependencies {
+ compileOnly("log4j:log4j:1.+") {
+ because("log4j 1 has critical vulnerabilities but we need the type for the refaster recipe during compilation")
+ }
+
compileOnly("org.projectlombok:lombok:latest.release")
annotationProcessor("org.projectlombok:lombok:latest.release")
@@ -31,7 +35,6 @@ dependencies {
implementation("org.openrewrite.recipe:rewrite-static-analysis:${rewriteVersion}")
runtimeOnly("org.openrewrite:rewrite-java-17")
- implementation("log4j:log4j:1.+")
implementation("org.apache.logging.log4j:log4j-core:2.+")
implementation("org.slf4j:slf4j-api:2.+")