Skip to content

[Snyk] Upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.21 #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sajith-subramanian wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.21 #11

sajith-subramanian wants to merge 1 commit into from

Conversation

@sajith-subramanian
Copy link
Contributor

@sajith-subramanian sajith-subramanian commented Dec 13, 2025

snyk-top-banner

Snyk has created this PR to upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.21.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 24 versions ahead of your current version.

  • The recommended version was released a month ago.

Merge Risk: High

This upgrade to Logback 1.5.x introduces significant breaking changes requiring developer action.

Highlights:

  • Java 11 Required: The runtime requirement has been raised from Java 8 to Java 11.
  • SLF4J 2.0 Required: This version now requires SLF4J 2.0.x, which is a breaking change from the SLF4J 1.7.x used with older Logback versions. This will require a coordinated update of the SLF4J dependency across the entire project.

Source: Logback Documentation
Recommendation: This upgrade requires careful dependency management. Ensure the project's JDK is at least version 11 and that all SLF4J dependencies are updated to the 2.x line before merging.

Notice 🤖: This content was generated using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JAVA-CHQOSLOGBACK-6097493		 61 No Known Exploit
high severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JAVA-CHQOSLOGBACK-6097492		 61 No Known Exploit
medium severity External Initialization of Trusted Variables or Data Stores
SNYK-JAVA-CHQOSLOGBACK-13169722		 61 No Known Exploit
medium severity Improper Neutralization of Special Elements
SNYK-JAVA-CHQOSLOGBACK-8539866		 61 No Known Exploit
medium severity Improper Neutralization of Special Elements
SNYK-JAVA-CHQOSLOGBACK-8539867		 61 No Known Exploit
low severity Server-side Request Forgery (SSRF)
SNYK-JAVA-CHQOSLOGBACK-8539865		 61 No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.21
904c393 
Snyk has created this PR to upgrade ch.qos.logback:logback-classic from 1.4.12 to 1.5.21.

See this package in maven:
ch.qos.logback:logback-classic

See this project in Snyk:
https://app.snyk.io/org/aps-sdk/project/3b347854-1989-481d-8760-53afcb6147d0?utm_source=github&utm_medium=referral&page=upgrade-pr
Copilot AI review requested due to automatic review settings December 13, 2025 09:43
Copilot AI reviewed Dec 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Logback Classic dependency from version 1.4.12 to 1.5.21 to address multiple security vulnerabilities including resource exhaustion, improper neutralization, and SSRF issues. The upgrade also moves to a version that requires Java 11 and SLF4J 2.0.x compatibility.

Key Changes

  • Updated logback.version property from 1.4.12 to 1.5.21
  • Addresses 6 security vulnerabilities (2 high, 3 medium, 1 low severity)
  • Requires coordination with SLF4J 2.0.x dependency line and Java 11+ runtime

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

sdkmanager/pom.xml
<resilience4j.version>2.2.0</resilience4j.version>
<httpcomponents.version>5.5</httpcomponents.version>
<jackson.version>2.15.3</jackson.version>
<slf4j.version>2.0.9</slf4j.version>
Copy link

Copilot AI Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upgrade to Logback 1.5.21 requires SLF4J 2.0.x, but the current SLF4J version (2.0.9) is from September 2023. Consider upgrading to a more recent SLF4J 2.0.x version (e.g., 2.0.16 or later) to ensure compatibility and include security fixes released since 2.0.9.

Suggested change
<slf4j.version>2.0.9</slf4j.version>
<slf4j.version>2.0.16</slf4j.version>

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sajith-subramanian @snyk-bot