Bump logback-classic to 1.4.14 #1291
Conversation
| @@ -36,7 +36,7 @@ object Dependencies { | |||
| val magentaLibDeps = | |||
| commonDeps ++ jacksonOverrides ++ akkaSerializationJacksonOverrides ++ Seq( | |||
| "com.squareup.okhttp3" % "okhttp" % "4.12.0", | |||
| "ch.qos.logback" % "logback-classic" % "1.4.8", // scala-steward:off | |||
| "ch.qos.logback" % "logback-classic" % "1.4.14", // scala-steward:off | |||
There was a problem hiding this comment.
We previously experienced an issue updating this dependency in this repository - #1232. Have we successfully deployed to CODE?
There was a problem hiding this comment.
Haven't tried this in code. The error does seem unrelated though
java.lang.AssertionError: assertion failed: no symbol could be loaded from interface software.amazon.awssdk.services.s3.model.ListObjectsV2Response$Builder in class ListObjectsV2Response with name Builder and classloader sbt.internal.LayeredClassLoader@6286d22d
There was a problem hiding this comment.
Yea builds now, just a fragile test. Ill give it a go in CODE tomorrow just on case though.
There was a problem hiding this comment.
You are absolutely right this does break CODE. Unfortunately I don't think we can just dump logback and switch to devx-logs... As far as I understand Logback is pretty core to Play logging, and you would still need to use it regardless of logging to kinesis or logging to stdout 🤔
There was a problem hiding this comment.
#1292 switches to devx-logs, it might not resolve the reported vulnerabilities, but it's less code in the repository 😄.
|
This version of logback-classic is incompatible with our Play version. We probably need to do a bit of work to try and get riff-raff to Play 3.0 (or atleast a newer version of play) before we can fix this vuln. |
What does this change?
Bumps logback-classic to 1.4.14. Resolving 4 high vulnerabilities.