From 3fec5a55b325c465fff1a96523b61702bdb7e28d Mon Sep 17 00:00:00 2001 From: Peter Streef Date: Fri, 20 Dec 2024 10:27:52 +0100 Subject: [PATCH] Remove log4j from runtime classpath as it is only needed to generate a recipe from a refaster template This does not yet work as expected in the test --- build.gradle.kts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build.gradle.kts b/build.gradle.kts index 049a59c..9284484 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -20,6 +20,10 @@ recipeDependencies { } dependencies { + compileOnly("log4j:log4j:1.+") { + because("log4j 1 has critical vulnerabilities but we need the type for the refaster recipe during compilation") + } + compileOnly("org.projectlombok:lombok:latest.release") annotationProcessor("org.projectlombok:lombok:latest.release") @@ -31,7 +35,6 @@ dependencies { implementation("org.openrewrite.recipe:rewrite-static-analysis:${rewriteVersion}") runtimeOnly("org.openrewrite:rewrite-java-17") - implementation("log4j:log4j:1.+") implementation("org.apache.logging.log4j:log4j-core:2.+") implementation("org.slf4j:slf4j-api:2.+")