jira-importer opened a new issue, #71: URL: https://github.com/apache/maven-apache-resources/issues/71
**[NRYet](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=JIRAUSER281746)** opened **[MASFRES-51](https://issues.apache.org/jira/browse/MASFRES-51?redirect=false)** and commented Log4j's problem lead me to a strange thought, I want to discuss with you this: will the transitive "provided" dependency impair my project? Lets take an example, I have a project's structure like this. I import "druid" which has a provided dependency "log4j-core": my-company:my-app2:v1.0 \\- com.alibaba:druid:jar:1.2.8:compile \\-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided to `my-app`, `log4j-core` is a {**}transitive "provided" dependency{**}. but "provided" scope is not transitive according to the doc, so when we use `mvn dependency:tree`, we can only get my-company:my-app2:v1.0 \\- com.alibaba:druid:jar:1.2.8:compile Since log4j core participates in the compilation of druid, part of `log4j-core`'s code could be inside. In the worst condition, could they also be vulnerable? If so, how could we know `log4j-core`'s is actually inside? --- No further details from [MASFRES-51](https://issues.apache.org/jira/browse/MASFRES-51?redirect=false) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
