When running Datomic on the Postgres storage, we wanted to exclude H2 from the Peer classpath, but this turns out not to be possible.
With the following deps.edn
{:deps {com.datomic/datomic-pro {:mvn/version "1.0.6362"
:exclusions [com.h2database/h2]}
org.postgresql/postgresql {:mvn/version "42.3.1"}}
:mvn/repos {"my.datomic.com" {:url "https://my.datomic.com/repo"}}}
trying to create the database leads to
(d/create-database "datomic:sql://test?jdbc:postgresql://localhost:5432/datomic?user=datomic")
Execution error (ClassNotFoundException) at java.net.URLClassLoader/findClass (URLClassLoader.java:387).
org.h2.tools.Server
Is there another way to accomplish this?
The reason we want to exclude h2 from the classpath is because the maven artifact for h2 has several HIGH CVEs reported on it (https://mvnrepository.com/artifact/com.h2database/h2/1.3.172). I understand that Datomic does not run the H2 console and is also does not involve SQLXML, so it is probably not vulnerable to the specific CVEs, however, it would be an easy way to remove a dev-only dependency in a production deployment.
