fix vulnerable dependency log4j#1803
Conversation
edmoffo
left a comment
edmoffo
left a comment
There was a problem hiding this comment.
The dependency swap is incomplete. The project still ships log4j 1.x configuration files at src/test/resources/log4j.properties and src/it/basic-usage/src/test/resources/log4j.properties that reference org.apache.log4j.ConsoleAppender and the 1.x property schema, which log4j-core 2.x cannot consume. Tests that rely on this configuration will lose their appender setup. The migration needs the property files converted to log4j2.xml (or log4j2.properties with the 2.x syntax), and the com.jcabi.log MulticolorLayout binding has to be replaced with the 2.x equivalent or dropped if no longer available. Please update those files in the same PR.
| <version>1.2.17</version> | ||
| <groupId>org.apache.logging.log4j</groupId> | ||
| <artifactId>log4j-core</artifactId> | ||
| <version>2.24.1</version> |
There was a problem hiding this comment.
Switching from log4j 1.2.17 to log4j-core 2.x leaves src/test/resources/log4j.properties and src/it/basic-usage/src/test/resources/log4j.properties pointing at org.apache.log4j.ConsoleAppender, which does not exist in 2.x. Convert those property files to the log4j2 configuration format (log4j2.xml or log4j2.properties) in this PR, otherwise test logging silently breaks.
2 participants
No description provided.