> On May 24, 2022, at 2:25 PM, Piotr P. Karwasz <[email protected]> wrote:
>
> The 'log4j:log4j' dependency is only used in some performance tests, which
> probably should move to `log4j-perf`:
> https://github.com/apache/logging-log4j2/pull/890.
> If we also upgrade `h2` the `log4j-api` and `log4j-core` artifacts will not
> have any vulnerable dependency, whether it is a runtime or test dependency.
> That is more marketing than anything else, but web sites like MvnRepository
> do not distinguish yet between the different kinds of vulnerable
> dependencies.
We created log4j-core-its to move the perf tests that were run as sanity checks
during the build. The stuff in org.apache.logging.log4j.core.async.perf should
all
move there as well.
Ralph
