16 Jul
2021
16 Jul
'21
6:34 a.m.
Dear Slf4j team, I noticed that when using Slf4j with log4j the dependency that gets pulled by Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end of life in 2015 (see http://logging.apache.org/log4j/1.2/download.html). This leads to the following problems: * Log4J 1.2.17 contains a security vulnerability (see https://nvd.nist.gov/vuln/detail/CVE-2019-17571 ) * Log4J 1.2.17 contains a dirty bugfix that messes up the java module system (see https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11 ) Therefore I wanted to ask: are there any plans to switch to a newer Log4J 2.x version in the near future? I guess I am not the only one having problems with this dependency. Best regards, Florian Poehr