New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update for log4j-core
is listed, which is not in the dependency tree
#686
Comments
Have you looked at the build environment dependencies yet? That’s how we check for plugin updates. https://docs.gradle.org/2.10/release-notes.html#new-task-for-visualising-a-buildscript-dependencies |
Thanks for that hint! In our project
So there are two occurrences of
In any case, I guess this is (again) not an issue with the |
Correct. Gradle added a hack to force upgrades of log4j2 if detected on the classpath regardless of your configuration. It was surprising when detected, see #576 |
So, as |
I think so |
I'm still surprised that this update is reported, because |
I think Gradle’s hack forces it to so that you don’t have that exploit leak in from a transitive dependency. Otherwise I don’t know why either |
In our project we recently migrated from
log4j-core
tologback
(but keptlog4j-api
as the logger API for now). After the migration,./gradlew dependencies
/./gradlew allDepedencies
(a custom task of ours) confirms there is nolog4j-core
anymore anywhere in the dependency tree. Still, running./gradlew depUp
listshttps://logging.apache.org/log4j/2.x/
Any idea where this might be coming from?
The text was updated successfully, but these errors were encountered: