Indexing process pulling log4j 1.2.12 to Maven Repository

Hello Twanger 

It looks like a transitive dependency from a Maven/Gradle plugin, test utility, or auxiliary indexing/import component is causing Maven Resolver to fetch log4j:log4j:1.2.12 during the project’s sync/indexing phase, even though your pom.xml doesn’t declare it directly. To confirm where it comes from please check the following:

1. Run mvn -q dependency:tree -Dincludes=log4j:log4j to see if any module or plugin in your reactor brings it in transitively. If your project is multi-module, run it per module to catch scope-specific pulls (tests/build plugins). This helps prove it’s not in your effective dependencies if the tree is empty for your main modules, and highlights plugins/tests if present.
2. Check .m2/repository/org/apache/log4j/log4j/1.2.12/_remote.repositories to see which repository entry wrote it and when. The timestamp helps correlate with the indexing/import moment.
3. If you also use Gradle in the repo, run gradle dependencies | grep -i log4j to ensure no Gradle-side tool pulls it. We’ve seen mixed repos where Gradle parts influence the IDE’s setup/import and trigger unexpected resolutions.
4. Search your build scripts for “indexing-server”, legacy test utilities, or older logging bridges that could pull Log4j 1.x transitively, especially in test/buildSrc/integration-test folders. Prior issues show those as common sources.

If nothing above applies to your case please collect the logs by going to Help | Collect Logs and Diagnostic Data, attaching the zip file here or through our secure upload site https://uploads.jetbrains.com/, and sharing the uploadID.

Problem is indeed caused by one or more maven plugins we use in our pom files. So not an Intellij issue. Thanks for your support!

Hi Twanger 

Thanks for the update. We're here to help, so if you have any further questions, please don't hesitate to let us know.

Have a great day!

Monica!

We have further investigated the issue, and we think that this is either a bug of IDEA or of the Maven plugin provided by Intellij. As soon as Intellij starts to download a plugin, it will also download the old log4j dependency. 

You can reproduce the bug the following way: 

1. Create a new Maven project and insert the following maven-compiler-plugin in the pom.xml (any other plugin or version will result in the same behavior!)

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.intellij</groupId>
  <artifactId>mavenbug</artifactId>
  <packaging>war</packaging>
  <version>1.0-SNAPSHOT</version>
  <name>mavenbug Maven Webapp</name>
  <url>http://maven.apache.org</url>
  <dependencies>    
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.14.0</version>
      </plugin>
    </plugins>
  </build>
</project>

2. Make sure that the plugin is not available in your .m2\repository\org\apache\maven\plugins\maven-compiler-plugin. Delete the plugin if it is already in the directory. Also make sure that there is no log4j version 1.2.12 in .m2\repository\log4j\log4j\1.2.12

3. In the Maven toolbar, click the “Reload All Maven Projects” button. 

Maven will now download the Maven-Compiler-Plugin, as well as the log4j 1.2.12 dependency to the .m2 directory. 

4. Delete both packages again.

5. Go to Windows console, navigate to your project and build: mvn package. Maven will not download the log4j package this time. 

So, under the IDEA environment the log4j package is downloaded, although there is no transitive dependency from the Maven Compiler to log4j. 

I have provided logs & diagnostic data under this upload id: 2026_01_16_2BWMBFHwrETLYtxr1eKh4e

We tested this using IDEA 2025.3.1 Ultimate as well as 2025.1.1.1 Community

Hello Twanger 

Thanks for the further investigation. I was able to reproduce the issue when creating a new project and can see that log4j 1.2.12 is added to the repository only after the project is created; in later attempts, the dependency is not downloaded.

I opened a new ticket with our support team. Please subscribe to it for further updates and upvote to increase visibility: IJPL-384832.