You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Yogesh Desai (Jira)" <ji...@apache.org> on 2022/08/19 15:50:00 UTC
[jira] [Comment Edited] (MJAVADOC-724) Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
[ https://issues.apache.org/jira/browse/MJAVADOC-724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581930#comment-17581930 ]
Yogesh Desai edited comment on MJAVADOC-724 at 8/19/22 3:49 PM:
----------------------------------------------------------------
[~michael-o] - Created new ticket with all the details. Please refer same. Thanks!
https://issues.apache.org/jira/browse/MJAVADOC-726
was (Author: JIRAUSER294182):
[~michael-o] - Created new ticket with all the details. Please refer same. Thanks!
https://issues.apache.org/jira/browse/MJAVADOC-726|http://example.com
> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
> Key: MJAVADOC-724
> URL: https://issues.apache.org/jira/browse/MJAVADOC-724
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: jar, javadoc
> Environment: Windows 10
> Reporter: Yogesh Desai
> Priority: Major
> Labels: Vulnerability
>
> I have observed that Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively in .m2 folder. Since Log4j-1.X is strictly prohibited for use in many organisations, we had no other option that not using the plugin. Please plan to fix this issue and get rid of the log4j-1.X dependency. Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)