That is a spot on remark with security updates, in particular Jackson-related ones, Piotr. Yes, we shouldn't indeed ship 2.18.0 without the Jackson updates. I presume you are already taking care of this?
> Removing the `log4j` 1.x dependency from `log4j-core` What do you exactly mean? `log4j-core` didn't have any `log4j-1.2-api` dependencies last time I checked. I can only spot a `log4j:log4j` dependency in `test` scope. I am fine with eliminating that too, as long as the served functionality either can be replaced by other means or doesn't make sense anymore. On Mon, May 23, 2022 at 11:04 PM Piotr P. Karwasz <[email protected]> wrote: > Hi Ralph, > > On Fri, 20 May 2022 at 18:06, Ralph Goers <[email protected]> > wrote: > > > I am working through the last few issues I want to resolve for 2.18.0. > > I’d like to hope I can have them done today but I might not. I will be > > traveling tomorrow through Wed, May 25 to visit friends and family. While > > it is possible I might be able to do the release then, it is unlikely. So > > right now my plan is to start the process next Wednesday evening MST. > > > > I am a little behind my schedule, so I sent a PR for 2.18.0 only tonight. > It's a feature addition, so I'd like to profit from a minor version bump. > > It would be nice to update some dependencies too before 2.18.0: the > `log4j-core` page on MvnRepository shows 9 security issues from > dependencies ( > > https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.2 > ). > Except `jackson-databind` that we need to upgrade again, the others are in > the test dependencies. However many people don't look, which dependencies > are vulnerable and just assume the library is. > > Removing the `log4j` 1.x dependency from `log4j-core` (IIRC it's used by a > performance test) and bumping `h2` would clear most of the vulnerabilities > from test dependencies. > > Piotr >
