[#3063] Whilst lombok is not vulnerable to Log4Shell, we do have the …

…dependency on log4j, solely for testing purposes, and no user input is ever logged with it. Nevertheless, pushing the dep to 2.16 to avoid false positives from vulnerability scanners ruining the day.
projectlombok · Dec 16, 2021 · c10b47a · c10b47a
1 parent 35430a2
commit c10b47a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/buildScripts/ivy.xml b/buildScripts/ivy.xml
@@ -45,7 +45,7 @@
 		<!-- test deps -->
 		<dependency org="junit" name="junit" rev="4.8.2" conf="test->default; sources" />
 		<dependency org="log4j" name="log4j" rev="1.2.17" conf="test->default; sources" />
-		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.15.0" conf="test->default; sources" />
+		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.16.0" conf="test->default; sources" />
 		<dependency org="commons-logging" name="commons-logging" rev="1.2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-api" rev="1.8.0-beta2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-ext" rev="1.8.0-beta2" conf="test->default; sources" />