You can upgrade your own build. We don't make releases just to update pom files. The log4j-api jar has no known security issues. log4j-core may have issues but as I say, you can fix your own pom file. We are volunteers.
On Wed, 15 Apr 2026 at 11:37, Rodrigo Bourbon via dev <[email protected]> wrote: > > Hi, log4j was updated here > <https://github.com/apache/xmlbeans/commit/8d25c62ef2866ee00eb7194dc0c464639a92b5af> > but > there is no released version with the change yet. What's the ETA for the > release with that change? Some projects have completely banned version > 2.24.x artifacts of log4j due to the vulnerability. Given how Maven works, > if you depend on xmlbeans and manage the log4j version to 2.25.x, the > log4j-api 2.24 POM and JAR are downloaded. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
