kezhuw opened a new pull request, #2294:
URL: https://github.com/apache/zookeeper/pull/2294
This way we can upgrade them separately to solve cve issues and mitigate
the consequence of breaking change.
1. For library usage, we depend only on `slf4j-api` 1.7.x which has no
cve issues.
2. For test usage, we keep logback at 1.2.x which does have cve issues.
But since test dependencies are not transitive, so this won't affect
dependants.
3. For application usage, we bump `slf4j-api` to 2.x and
`logback-classic` to 1.3.15 to solve cve issues of logback[1].
This way we restrict the breaking change to only application jars, e.g.
zookeeper server tarball.
The breaking change happens only when administrators custom incompatible
`slf4j-api` and `logback-classic` versions in classpath, e.g. them pin
`slf4j-api` to 1.7.x or them pin `logback-classic` to 1.2.x but not
both.
The consequence of the breaking change is also noticeable: there will be
no logs except logs directly to `stdout` or `stderr` which mostly like
are few lines from `slf4j` to complain "no slf4j providers".
[1]: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.13
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
