-
Notifications
You must be signed in to change notification settings - Fork 1
[Snyk] Fix for 3 vulnerabilities #5248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -262,7 +262,7 @@ | |||||
| </goals> | ||||||
| </pluginExecutionFilter> | ||||||
| <action> | ||||||
| <ignore></ignore> | ||||||
| <ignore/> | ||||||
| </action> | ||||||
| </pluginExecution> | ||||||
| <pluginExecution> | ||||||
|
|
@@ -281,7 +281,7 @@ | |||||
| </goals> | ||||||
| </pluginExecutionFilter> | ||||||
| <action> | ||||||
| <ignore></ignore> | ||||||
| <ignore/> | ||||||
|
||||||
| <ignore/> | |
| <ignore></ignore> |
Copilot
AI
Jan 28, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The upgrade from Logback 1.2.6 to 1.5.25 introduces a significant compatibility concern. Logback 1.5.x requires SLF4J 2.0.x or higher, but this project is using SLF4J 1.7.32. According to Logback's official compatibility documentation, Logback 1.5.x is designed to work with SLF4J 2.0.x API. Using Logback 1.5.25 with SLF4J 1.7.32 may lead to runtime errors or unexpected behavior.
To properly fix the security vulnerability, you should either:
- Upgrade to Logback 1.2.13 (the latest 1.2.x version) which is compatible with SLF4J 1.7.x and addresses the security issue, or
- Upgrade both Logback to 1.5.25 AND SLF4J to 2.0.x (e.g., 2.0.16) to maintain compatibility.
The first option (Logback 1.2.13) would be less risky as it avoids potential breaking changes from the SLF4J major version upgrade.
| <logback.version>1.5.25</logback.version> | |
| <logback.version>1.2.13</logback.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This formatting change from opening and closing tags to a self-closing tag is functionally equivalent and valid XML. While this is a stylistic improvement, it appears unrelated to the security vulnerability fixes described in the PR. Consider whether these formatting changes should be in a separate PR focused on code cleanup, rather than mixed with security fixes. This helps maintain clear PR history and easier rollback if needed.