Re: Maven Dependency Plugin - Log4j vulnerabilities
> https://github.com/jveverka/mvn-dependency-log4j/commit/ac87977c19bb2ee2564d15fa87f255d621a4706d https://github.com/pzygielo/mvn-dependency-log4j/runs/5425284512?check_suite_focus=true#step:5:1 No log4j:1.2.12:jar is downloaded in that reproducer. log4j/log4j is excluded by commons-logging from its dependencies. -- Piotrek
Re: Maven Dependency Plugin - Log4j vulnerabilities
On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote: > > Can confirm this project downloads log4j 1.12.12 for me As I see it - you confirm something else. > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: _artifact descriptor_ -- Piotrek
