[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.7 to 2.25.3#19
[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.7 to 2.25.3#19DavidThomas-coder wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on January 25
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| <groupId>org.apache.logging.log4j</groupId> | ||
| <artifactId>log4j-core</artifactId> | ||
| <version>2.7</version> | ||
| <version>2.25.3</version> |
There was a problem hiding this comment.
Log4j version mismatch will cause runtime errors
The log4j-core dependency was upgraded to version 2.25.3 while log4j-api remains at version 2.7. These components must have matching versions to work correctly. This 18-minor-version mismatch will cause NoSuchMethodError or ClassNotFoundException at runtime when the newer log4j-core tries to call methods that don't exist in the older log4j-api. The log4j-api version needs to be upgraded to 2.25.3 as well.
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
todolist-goof/todolist-web-struts/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782
2.7->2.25.3No Path FoundNo Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Updates dependency to address security and maintenance concerns.
org.apache.logging.log4j:log4j-corefrom2.7to2.25.3intodolist-goof/todolist-web-struts/pom.xmllog4j-api) remain unchangedWritten by Cursor Bugbot for commit 1ec0f13. This will update automatically on new commits. Configure here.