[#3063] Whilst lombok is not vulnerable to Log4Shell, we do have the …

…dependency on log4j, solely for testing purposes, and no user input is ever logged with it. Nevertheless, pushing the dep to 2.17 to avoid false positives from vulnerability scanners ruining the day.
projectlombok · Dec 18, 2021 · 932c939 · 932c939
1 parent c10b47a
commit 932c939
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/buildScripts/ivy.xml b/buildScripts/ivy.xml
@@ -45,7 +45,7 @@
 		<!-- test deps -->
 		<dependency org="junit" name="junit" rev="4.8.2" conf="test->default; sources" />
 		<dependency org="log4j" name="log4j" rev="1.2.17" conf="test->default; sources" />
-		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.16.0" conf="test->default; sources" />
+		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.17.0" conf="test->default; sources" />
 		<dependency org="commons-logging" name="commons-logging" rev="1.2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-api" rev="1.8.0-beta2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-ext" rev="1.8.0-beta2" conf="test->default; sources" />