Only check `runtimeClasspath` for compatibility with target JVM version

[ppkarwasz]

Expected Behavior

Gradle should not fail the build when compileClasspath contains dependencies that are incompatible with the JavaCompile.options.release parameter. Instead, it should issue a warning to inform users of a potential mismatch, allowing them to make an informed decision.

Current Behavior (optional)

Gradle currently checks both the compileClasspath and runtimeClasspath against the value specified by JavaCompile.options.release. If it finds an incompatible dependency in either, it fails the build with an error like the following:

Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve com.github.spotbugs:spotbugs-annotations:4.9.3.
     Required by:
         project : > org.apache.logging.log4j:log4j-api:2.25.0
      > No matching variant of com.github.spotbugs:spotbugs-annotations:4.9.3 was found. The consumer was configured to find a library for use during compile-time, compatible with Java 8, preferably in the form of class files, preferably optimized for standard JVMs, and its dependencies declared externally but:
         [ ... ]

While checking the runtimeClasspath is essential to prevent runtime errors, enforcing the same check on compileOnly dependencies is overly strict. These dependencies are used exclusively by the compiler, annotation processors, or compiler plugins. If the JDK used in the toolchain is compatible with those dependencies, compilation will succeed.

Context

This error was reported by our Gradle users in apache/logging-log4j2#3754.

Although Gradle's heuristic aims to prevent runtime errors—a goal we fully support—in this case, it unnecessarily breaks builds for Gradle users while Maven users encounter no such problems. As a result, users cannot use Log4j 2.25.0 with Gradle, despite it being fully compatible from a runtime perspective.

[ljacomet]

This issue needs a decision from the team responsible for that area. They have been informed. Response time may vary.

---

Detailed analysis on the Log4J side.

One challenge is that while this could be a valid strategy for spotbugs-annotations, it would not be for all dependencies.

[ppkarwasz]

One challenge is that while this could be a valid strategy for spotbugs-annotations, it would not be for all dependencies.

To clarify, we do consider using a Java 11 version of spotbugs-annotations a bug—something we overlooked in our recent Log4j release. However, the impact on Gradle users is disproportionately large compared to the underlying issue. Notably, Maven users are completely unaffected.

It's also worth pointing out that this bug was introduced as a side effect of our fix for another issue (apache/logging-log4j2#3110), where users would get an unwanted compiler warning when using -Xlint:all. To address that, we began publishing Gradle-specific *.module metadata that declared spotbugs-annotations as a compileOnlyApi dependency.

That well-intentioned fix (apache/logging-log4j2#3450) unfortunately turned a harmless compiler warning into a complete compilation failure for Gradle users with Log4j 2.25.0. 😅

[jvandort]

From the linked analysis:

spotbugs-annotations is a compile-time–only dependency.

If this is the case, you should be able to mark this dependency as optional on the Maven side, and then Gradle consumers will not try to resolve it. However, you should still get it at compile-time when building log4j2. AFAIK this is the best way to model build-only dependencies in Maven.

The advantage being your Maven users also don't resolve this dependency, as they don't need it during runtime or compilation either.

[ppkarwasz]

spotbugs-annotations is a compile-time–only dependency.

If this is the case, you should be able to mark this dependency as optional on the Maven side, and then Gradle consumers will not try to resolve it.

That's exactly what we've been doing from the beginning: compile-time–only annotation libraries like spotbugs-annotations are declared using the Maven provided scope. For downstream consumers, this effectively behaves the same as using compile + optional — the transitive dependency is ignored. Unless I am mistaken, Gradle maps this first to compileOnly and then discards it since it's transitive.

What changed in Log4j 2.25.0 is that we started using the Gradle Module Metadata Maven Plugin to explicitly declare spotbugs-annotations as a compileOnlyApi dependency, with the goal of improving the experience for Gradle users. Specifically, this addresses a minor Java compiler warning some users encountered:

warning: Cannot find annotation method 'value()' in type 'BaselineIgnore': class file for aQute.bnd.annotation.baseline.BaselineIgnore not found

While I remain skeptical of the usefulness of this particular warning (see my comments in apache/logging-log4j2#3110 (comment) and JDK-8342833), some users have strict policies that treat any compiler warning as a build failure. So even a mild warning becomes a real problem in certain environments.

However, using compileOnlyApi carries a significant new risk: if we accidentally upgrade an annotation library that:

• is itself built with Gradle (or publishes Gradle Module Metadata), and
• has a org.gradle.jvm.version higher than 8,

then our Gradle users targeting Java 8 bytecode are completely unable to use our library — even though the dependency is only needed at compile time and they use a newer Java compiler. And this is what happened in 2.25.0.

That’s why I’d like to propose—more as a feature request than a bug report—that Gradle’s strict compatibility check on compileOnly dependencies be downgraded to a warning.