Home > Software design >  How to upgrade nested dependency log4j version in maven?
How to upgrade nested dependency log4j version in maven?

Time:12-15

This is regarding the 0-day exploit found in log4j2 Java logging package https://www.lunasec.io/docs/blog/log4j-zero-day/

Below is my code : pom.xml

    <dependency>
        <groupId>org.hibernate.orm</groupId>
        <artifactId>hibernate-core</artifactId>
        <version>6.0.0.Alpha7</version>
        <scope>provided</scope>
     </dependency>

     <dependency>
        <groupId>org.hibernate</groupId>
        <artifactId>hibernate-envers</artifactId>
        <version>6.0.0.Alpha5</version>
     </dependency>

    <dependency>
        <groupId>org.hibernate.validator</groupId>
        <artifactId>hibernate-validator</artifactId>
        <version>6.0.13.Final</version>
     </dependency>

Each of above dependency has a inner dependency

   <dependency>
        <groupId>org.jboss.logging</groupId>
        <artifactId>jboss-logging</artifactId>
    </dependency>

And jboss-logging uses log4j » log4j 1.2.16 org.apache.logging.log4j » log4j-api 2.11.2

How do I update pom.xml to use org.apache.logging.log4j » log4j-core Version :2.15.0 ?

Any help would be much appreciated! Thank you

CodePudding user response:

you should put the 2 dependencies (log4j-api and log4j-core) with the new version in your dependencyManagment section in your pom. Maven will resolve the inner transitive dependencies to this version

Page link:https//www.codepudding.com/Softwaredesign/228070.html

Prev:Extractin semester from a datatime column
Next:Resolving bcrypt return promise
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding