[ https://issues.apache.org/jira/browse/OPENJPA-2899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Romain Manni-Bucau updated OPENJPA-2899: ---------------------------------------- Issue Type: Task (was: Bug) > openjpa-maven-plugin 3.2.1 uses log4j version 2.14.1 > ---------------------------------------------------- > > Key: OPENJPA-2899 > URL: https://issues.apache.org/jira/browse/OPENJPA-2899 > Project: OpenJPA > Issue Type: Task > Reporter: Rich M > Priority: Minor > > openjpa-maven-plugin version 3.2.1 contains dependency of log4j version > 2.14.1. > <log4j2.version>2.14.1</log4j2.version> > Since the log4j versions lower than 2.17.1 contains critical vulnerabilities, > what is the plan to move away from this version ? > Can this be overridden when declaring openjpa-maven-plugin dependency ? -- This message was sent by Atlassian Jira (v8.20.1#820001)