I’ve created https://issues.apache.org/jira/browse/LOG4J2-3516 for this.
Ralph > On May 24, 2022, at 9:41 PM, Ralph Goers <[email protected]> wrote: > > > >> On May 24, 2022, at 2:25 PM, Piotr P. Karwasz <[email protected]> >> wrote: >> >> The 'log4j:log4j' dependency is only used in some performance tests, which >> probably should move to `log4j-perf`: >> https://github.com/apache/logging-log4j2/pull/890. >> If we also upgrade `h2` the `log4j-api` and `log4j-core` artifacts will not >> have any vulnerable dependency, whether it is a runtime or test dependency. >> That is more marketing than anything else, but web sites like MvnRepository >> do not distinguish yet between the different kinds of vulnerable >> dependencies. > > > We created log4j-core-its to move the perf tests that were run as sanity > checks > during the build. The stuff in org.apache.logging.log4j.core.async.perf > should all > move there as well. > > Ralph
