[jira] [Commented] (SLING-13093) Sling XSS should not depend on log4j 1.x

Julian Reschke (Jira) Tue, 03 Feb 2026 00:16:59 -0800


    [ 
https://issues.apache.org/jira/browse/SLING-13093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056127#comment-18056127
 ]


Julian Reschke commented on SLING-13093:
----------------------------------------

aha, that was already done in 96a7e55ee50d1822a3d1656dcb9375b5b895384f 
(dependabot)

> Sling XSS should not depend on log4j 1.x
> ----------------------------------------
>
>                 Key: SLING-13093
>                 URL: https://issues.apache.org/jira/browse/SLING-13093
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 2.4.8
>            Reporter: Carsten Ziegeler
>            Assignee: Julian Reschke
>            Priority: Critical
>
> Some component currently requires org.apache.log4j, at least this is in the 
> package imports.
> As log4j 1.x is out of life since over ten years 
> (https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), this 
> dependency needs to be removed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-13093) Sling XSS should not depend on log4j 1.x

Reply via email to