Move "log4j shadow" to a separate plugin

[vlsi]

What feature do you want to see added?

I would like to avoid default shadow-plugin -> log4j-core dependency as it causes CVEs indentified in log4j-core.

Here's an example:

Transitive dependency org.apache.logging.log4j:log4j-core 2.25.3 is introduced via
com.gradleup.shadow:shadow-gradle-plugin 9.4.2  org.apache.logging.log4j:log4j-core 2.25.3

By default, shadow should detect precense of multiple log4j configurations on the classpath and just fail with clear message like "to merge log4j configurations, use the following plugin" or something like that.

Note: in the ideal world, log4j should be designed in such a way that does not require special merger.

The hard dependency on log4j-core is painful for the end-users.

The issue impacts https://github.com/pgjdbc/pgjdbc

Upstream changes

No response

Are you interested in contributing this feature?

I would be willing to contribute the feature if that could be accepted

[Goooler]

The hardest part of fixing this is getting rid of

shadow/src/main/kotlin/com/github/jengelman/gradle/plugins/shadow/transformers/Log4j2PluginsCacheFileTransformer.kt

Line 49 in 4a7db87

val aggregator = PluginCache()

[vlsi]

I perfectly understand that.
It is unfortunate that log4j CVE burden incurs on every shadow user.

I could suggest the following:

1. convert it to a reflective call and ask users adding log4j-core explicitly if they want log4j merging feature
2. ask log4j team to provide a small-surface log4j-merger artifact that would not bring log4j-core
3. exclude log4j merger from the default shadow feature set and ask log4j team to maintain it
4. ask log4j team to rework log4j plugins so they do not require resource transformation

[Goooler]

A new version has been released for the updates in #2069.
I need more time to consider this. It looks like we have to address a breaking change for these solutions, perhaps in the next major version.

Thanks for the report and suggestions!