ppkarwasz opened a new pull request, #207: URL: https://github.com/apache/pdfbox/pull/207
This PR makes the following changes: * Upgrades Log4j to version `2.25.0`. * Hardens annotation processing in response to the [JDK 23 change in default annotation processing policy](https://inside.java/2024/06/18/quality-heads-up/), which deprecates implicit annotation processor discovery. This change has been backported to earlier JDKs as well. ### Key Improvements: * Annotation processing is now disabled by default (`<proc>none</proc>`) to ensure only explicitly declared processors are run — a best practice that improves build predictability and mitigates supply chain risks ([background](https://javapro.io/2024/11/19/discovering-the-perfect-java-supply-chain-attack-vector-and-how-it-got-fixed/)). * The `pdfbox-debugger` module is now explicitly compiled using: * `PluginProcessor` to generate the `Log4j2Plugins.dat` descriptor. * The new `GraalVmProcessor` to generate GraalVM reachability metadata. * Both processors are declared explicitly along with the required compiler arguments: ```text -Alog4j.graalvm.groupId=${project.groupId} -Alog4j.graalvm.artifactId=${project.artifactId} ``` This avoids build failures introduced by `GraalVmProcessor` when those parameters are missing. ### Why This Matters: Log4j 2.25.0 introduces stricter behavior for `GraalVmProcessor`, which fails with an error if required options aren't set. Combined with changes to how annotation processors are discovered in JDK 23+, these updates ensure that: * Build behavior is explicit and secure. * The `DebugLogAppender` remains compatible with ahead-of-time compilation tools like GraalVM. * The project is future-proofed against evolving Java defaults and security posture. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
