Consider removing spotbugs-annotations dependency #3984
Description
spotbugs-annotations brings two nullability annotations which might accidentally cause wrong import being selected by the developer.
As far as I understand, the only purpose of spotbugs-annotations in log4j is to have @SuppressFBWarnings, however it does not really require a dependency for it. SpotBugs is happy to have a class in any package.
-
Here's a sample in log4j code:
-
Gradle treats Maven's
providedas if they werecompileOnlydependencies.
In other words, Gradle projects that depend onlog4j2do getprovideddependencies on theircompileClasspath. In fact, it makes sense: if the project required a dependency to be present during compilation, then the one who depend on such a module should also have those dependency on the compile classpath.
The justification is that annotations (e.g.@Nullable) do impact the API of a module, and, say Kotlin compiler might properly infer if the parameter type is nullable or not based on the annotation. If the annotation is not present on the compile classpath, then the compilation might fail.
Note: this is exactly the reason why Guava keeps @Nullable annotation on their compile scope.
Apache JMeter uses log4j2 for logging, and it turns out that log4j2 brings spotbugs-annotations and its @Nullable annotations which makes it inconvenient to maintain code.
I know I can configure IDE to avoid unwanted imports, however, it is IDE-specifc.
What do you think of removing spotbugs-annotations dependency altogether?
PS I asked SpotBugs developers to deprecate their nullable annotations, so the clients get warnings at least, however, they insist that they can deprecate their nullability annotations only when they get full support for JSpecify: spotbugs/spotbugs#3811
Frankly, I do not believe SpotBugs will get full JSpecify support in the nearest future (why spending time on it provided there's NullAway and friends?)