Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482
There was a problem hiding this comment.
Pull request overview
Updates Maven dependency versions to address Snyk-reported vulnerabilities in the project’s dependency graph.
Changes:
- Upgrades Logback version property from
1.2.6to1.5.25. - Normalizes Eclipse m2e lifecycle-mapping
<ignore>elements to self-closing form.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1445,7 +1445,7 @@ | |||
|
|
|||
| <!-- logging --> | |||
| <org.slf4j.version>1.7.32</org.slf4j.version> | |||
There was a problem hiding this comment.
logback.version was bumped to 1.5.25, but this POM still pins org.slf4j.version to 1.7.32. Logback 1.3+/1.5.x targets SLF4J 2.x, so forcing SLF4J 1.7 here can lead to dependency convergence problems and runtime failures (e.g., missing provider / NoSuchMethodError). Align the versions by upgrading org.slf4j.version (and related bridges like jcl-over-slf4j) to a compatible 2.x release, or choose a Logback version that remains compatible with SLF4J 1.7.
| <org.slf4j.version>1.7.32</org.slf4j.version> | |
| <org.slf4j.version>2.0.16</org.slf4j.version> |
| <!-- logging --> | ||
| <org.slf4j.version>1.7.32</org.slf4j.version> | ||
| <logback.version>1.2.6</logback.version> | ||
| <logback.version>1.5.25</logback.version> |
There was a problem hiding this comment.
The PR description mentions fixing a Commons Codec vulnerability (SNYK-JAVA-COMMONSCODEC-561518), but pom.xml doesn't declare or manage commons-codec anywhere. If the vulnerable version is coming transitively, consider adding an explicit <dependencyManagement> (or direct dependency) entry to pin commons-codec to a non-vulnerable version; otherwise the PR may not actually remediate that issue as described.
Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-COMMONSCODEC-561518
No Known ExploitSNYK-JAVA-CHQOSLOGBACK-15062482
1.2.6->1.5.25ch.qos.logback:logback-core:
1.2.6->1.5.25No Known ExploitVulnerabilities that could not be fixed
software.amazon.awssdk:s3@2.10.27tosoftware.amazon.awssdk:s3@2.41.15; Reasoncould not apply upgrade, dependency is managed externally; Location:https://maven-central.storage-download.googleapis.com/maven2/software/amazon/awssdk/aws-sdk-java-pom/2.10.27/aws-sdk-java-pom-2.10.27.pomImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Information Exposure