(beam) branch master updated: Update logback version to address vulnerability (#37501)

damccorm Thu, 05 Feb 2026 08:00:08 -0800

This is an automated email from the ASF dual-hosted git repository.

damccorm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git



The following commit(s) were added to refs/heads/master by this push:
     new beec6a3e156 Update logback version to address vulnerability (#37501)
beec6a3e156 is described below

commit beec6a3e156da5a51fe8ef548faa7699fcf7f412
Author: Danny McCormick <[email protected]>
AuthorDate: Thu Feb 5 10:59:53 2026 -0500

    Update logback version to address vulnerability (#37501)
---
 sdks/java/io/expansion-service/build.gradle | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sdks/java/io/expansion-service/build.gradle 
b/sdks/java/io/expansion-service/build.gradle
index dbd6e279846..be9e3704e6c 100644
--- a/sdks/java/io/expansion-service/build.gradle
+++ b/sdks/java/io/expansion-service/build.gradle
@@ -50,10 +50,9 @@ configurations.runtimeClasspath {
     }
   }
 
-  // Pin logback to 1.5.20
-  // Cannot upgrade to io modules due to logback 1.4.x dropped Java 8 support
-  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.20"
-  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.20"
+  // Pin logback to 1.5.27 to resolve CVE-2026-1225
+  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27"
+  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27"
 }
 
 shadowJar {

(beam) branch master updated: Update logback version to address vulnerability (#37501)

Reply via email to