You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2022/06/16 10:47:00 UTC

[jira] [Closed] (TINKERPOP-2715) remove log4jv1 dependency

     [ https://issues.apache.org/jira/browse/TINKERPOP-2715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Mallette closed TINKERPOP-2715.
---------------------------------------
    Fix Version/s: 3.7.0
                   3.6.1
         Assignee: Stephen Mallette
       Resolution: Done

hadoop removed log4j 1.x and replaced it with reload4j. recent bump to the latest version along 3.6.x allowed log4j 1.x to be removed:

https://github.com/apache/tinkerpop/commit/01663308b8ddf21c996567bdc32ac217530cd0b5

> remove log4jv1 dependency
> -------------------------
>
>                 Key: TINKERPOP-2715
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2715
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: build-release
>    Affects Versions: 3.5.2
>            Reporter: PJ Fanning
>            Assignee: Stephen Mallette
>            Priority: Major
>             Fix For: 3.7.0, 3.6.1
>
>
> Can this be reconsidered? Log4jv1 has even more open CVEs now.
> [https://repo1.maven.org/maven2/org/apache/tinkerpop/gremlin-driver/3.5.2/gremlin-driver-3.5.2.pom]
> https://issues.apache.org/jira/browse/TINKERPOP-1983



--
This message was sent by Atlassian Jira
(v8.20.7#820007)