ppkarwasz commented on PR #233: URL: https://github.com/apache/commons-logging/pull/233#issuecomment-2002638043
@garydgregory, Let's wait for the `1.3.1` release then. If the work you did on `log4j:log4j` alleviates the problems you had with security scanners, we might consider this PR, otherwise I'll close it. **Remark**: many "security" scanners treat `log4j` differently from other dependencies, e.g. GraalVM gives me this nice message, when I use a snapshot of Log4j: ``` Warning: The log4j library has been detected, but the version is unavailable. Due to Log4Shell, please ensure log4j is at version 2.17.1 or later. ``` It doesn't have the same problem with `oro:oro` that hasn't been maintained in two decades. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
