Most of the 3rd party dependency specifications defined in our 3.7.1.Final BOMs can be removed, as long as they are merely defining a version. For example, client applications should specify dependencies (including versions) on the desired logging framework and JUnit; ModeShape should not be defining "default" versions.

On the other hand, we do need to keep any dependency for which we define exclusions (or move the exclusions onto the appropriate ModeShape artifact) as well as dependencies (e.g., extensions) that a client application simply needs to be available on the classpath to enable some specific ModeShape behavior, or for which a client application wants to directly access the API. For example, we should keep default dependencies for all the available cache stores, sequencers, and other extensions. We also need to retain dependency definitions for Infinispan Core, since clients may want to directly configure cache configurations programmatically.

See also MODE-2092 for an initial attempt at this, and MODE-2133 for the regression fix (the last commit of which adds the logging version in could probably be removed).