Hi Volkan, On Tue, 24 May 2022 at 20:41, Volkan Yazıcı <vol...@yazi.ci> wrote:
> That is a spot on remark with security updates, in particular > Jackson-related ones, Piotr. Yes, we shouldn't indeed ship 2.18.0 without > the Jackson updates. I presume you are already taking care of this? > Yes, Jackson is updated to a non-vulnerable version and I upgraded a couple of Maven plugins that didn't fail on tests. > Removing the `log4j` 1.x dependency from `log4j-core` > > What do you exactly mean? `log4j-core` didn't have any `log4j-1.2-api` > dependencies last time I checked. I can only spot a `log4j:log4j` > dependency in `test` scope. I am fine with eliminating that too, as long as > the served functionality either can be replaced by other means or doesn't > make sense anymore. > The 'log4j:log4j' dependency is only used in some performance tests, which probably should move to `log4j-perf`: https://github.com/apache/logging-log4j2/pull/890. If we also upgrade `h2` the `log4j-api` and `log4j-core` artifacts will not have any vulnerable dependency, whether it is a runtime or test dependency. That is more marketing than anything else, but web sites like MvnRepository do not distinguish yet between the different kinds of vulnerable dependencies. Piotr
