On Monday, 13 December 2021 17:13:38 CET Carsten Ziegeler wrote: > I did a check as well and couldn't find anything. > > I guess the only place where log4j2 might be included is by pax exam > tests - not sure about that though.
Pax Exam is using log4j 1.x. I'm already looking into it to double check and update. At least we should have a statement on our homepage for Sling Starter which is using Sling Commons Log. O. > Regards > Carsten > > Am 13.12.2021 um 16:49 schrieb Robert Munteanu: > > On Mon, 2021-12-13 at 16:40 +0100, Bertrand Delacretaz wrote: > >> If we make a statement I think it should include the list of modules > >> we have checked as "not embedding log4j2" and describe the method > >> used > >> for that check. > > > > I have used `repo grep log4j` in the Sling repo checkout, manually > > validated that we don't pull in log4j2. > > > > If we exclude test code, we only get 54 lines, it should be quite easy > > for someone else to cross-check my findings. > > > > Thanks, > > Robert
