Rich M created OPENJPA-2899:
-------------------------------
Summary: openjpa-maven-plugin 3.2.1 uses log4j version 2.14.1
Key: OPENJPA-2899
URL: https://issues.apache.org/jira/browse/OPENJPA-2899
Project: OpenJPA
Issue Type: Bug
Reporter: Rich M
openjpa-maven-plugin version 3.2.1 contains dependency of log4j version 2.14.1.
<log4j2.version>2.14.1</log4j2.version>
Since the log4j versions lower than 2.17.1 contains critical vulnerabilities,
what is the plan to move away from this version ?
Can this be overridden when declaring openjpa-maven-plugin dependency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
