This is an automated email from the ASF dual-hosted git repository. damccorm pushed a commit to branch users/damccorm/logback in repository https://gitbox.apache.org/repos/asf/beam.git
commit d99f56f362a3f3320114a4643c78471b5c828917 Author: Danny Mccormick <[email protected]> AuthorDate: Wed Feb 4 11:22:09 2026 -0500 Update logback version to address vulnerability --- sdks/java/io/expansion-service/build.gradle | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle index dbd6e279846..be9e3704e6c 100644 --- a/sdks/java/io/expansion-service/build.gradle +++ b/sdks/java/io/expansion-service/build.gradle @@ -50,10 +50,9 @@ configurations.runtimeClasspath { } } - // Pin logback to 1.5.20 - // Cannot upgrade to io modules due to logback 1.4.x dropped Java 8 support - resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.20" - resolutionStrategy.force "ch.qos.logback:logback-core:1.5.20" + // Pin logback to 1.5.27 to resolve CVE-2026-1225 + resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27" + resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27" } shadowJar {
