I have a project with dependency tree like below.
<dependency>
<groupId>xxxxx</groupId>
<artifactId>xxxxxx</artifactId>
<exclusions>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
I excluded log4j 1.2.14 which my dependency xxxxxx uses and added log4j-api and log4j-core as new dependencies.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
Finally, log4j 1.2.14 seems removed from dependency:tree output but when running "mvn clean and install" command it is still downloaded. Is there a way to prevent this version to be downloaded?
xxxxxx dependency is an internal artifact developed by our company internally. By adding exclusion for log4j, I assumed log4j should not be downloaded anymore. But it was still being downloaded. By running "mvn dependency:resolve-plugins" as @Piotr P. Karwasz recommended, I noticed log4j-1.x.x is used by another internally developed maven plugin. By upgrading this plugin to used log4j 2 supported version, I fixed my problem.