Rich M created OPENJPA-2899: ------------------------------- Summary: openjpa-maven-plugin 3.2.1 uses log4j version 2.14.1 Key: OPENJPA-2899 URL: https://issues.apache.org/jira/browse/OPENJPA-2899 Project: OpenJPA Issue Type: Bug Reporter: Rich M
openjpa-maven-plugin version 3.2.1 contains dependency of log4j version 2.14.1. <log4j2.version>2.14.1</log4j2.version> Since the log4j versions lower than 2.17.1 contains critical vulnerabilities, what is the plan to move away from this version ? Can this be overridden when declaring openjpa-maven-plugin dependency ? -- This message was sent by Atlassian Jira (v8.20.1#820001)