I was trying the new zk-bom added in https://tracker.zkoss.org/browse/ZK-4458 and I realized that I was excluding some transitive dependencies from zk.
The most important one is the JUL implementation of SLF4J that is defined in the project zcommon as a runtime dependency. It endup leaking into consumer projects (anyone that uses zk) and considering that zcommon is a library it really shouldn't declare a SLF4J implementation.
The other one I explicitly exclude (because of it's weight) is closure-compiler-unshaded that is defined as a compile time dependency of zk project and also leaks to consumer projects. Maybe this dependency should be optional. In fact, in code is treated as optional because is loaded only if it exists in the classpath and it requires that sourceMap configuration is enabled.