I am very much in favor of Pulkit's suggestion. We've previously discussed using something like https://github.com/nebula-plugins/gradle-dependency-lock-plugin. This would make a process like Pulkit describes very easy. We could easily be on the latest versions that are known to work and at the same time capture which dependencies cannot easily be upgraded. This would safe lots of manual work and also provide greater transparency to us into where actual human effort is required to get back catch up with latest.
On Thu, Apr 5, 2018 at 8:12 AM, Anthony Baker <aba...@pivotal.io> wrote: > I created https://issues.apache.org/jira/browse/GEODE-5001 for this. > > Anthony > > > > On Apr 4, 2018, at 5:39 PM, John Blum <jb...@pivotal.io> wrote: > > > > +0 > > > > > > The Apache Geode *Log4j* dependency version *2.8.2* is or will cause > > significant issues for apps, and in particular *Spring Boot* 2.0 apps. > > > > This Geode Log4j version is already quite dated as *Log4j 2.11.0* is now > > already available [1] and *Spring Boot* 2.0 pulls in *Log4j 2.10.0* [2]. > >
