[
https://issues.apache.org/jira/browse/OPENJPA-2899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496545#comment-17496545
]
Romain Manni-Bucau commented on OPENJPA-2899:
---------------------------------------------
Hi [~richm123] ,
In terms of vulnerability this is quite low (or you would have to show me how
to exploit it without willing it ;))
You can override it adding the version you want as a dependency of the plugin.
That said i have no issue to move the scope to provided since this dependency
is not needed.
> openjpa-maven-plugin 3.2.1 uses log4j version 2.14.1
> ----------------------------------------------------
>
> Key: OPENJPA-2899
> URL: https://issues.apache.org/jira/browse/OPENJPA-2899
> Project: OpenJPA
> Issue Type: Bug
> Reporter: Rich M
> Priority: Critical
>
> openjpa-maven-plugin version 3.2.1 contains dependency of log4j version
> 2.14.1.
> <log4j2.version>2.14.1</log4j2.version>
> Since the log4j versions lower than 2.17.1 contains critical vulnerabilities,
> what is the plan to move away from this version ?
> Can this be overridden when declaring openjpa-maven-plugin dependency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
