You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/08/10 06:18:00 UTC

[jira] [Commented] (MJAVADOC-724) Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively

    [ https://issues.apache.org/jira/browse/MJAVADOC-724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577790#comment-17577790 ] 

Michael Osipov commented on MJAVADOC-724:
-----------------------------------------

Where is it?

> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
>                 Key: MJAVADOC-724
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-724
>             Project: Maven Javadoc Plugin
>          Issue Type: Bug
>          Components: jar, javadoc
>         Environment: Windows 10
>            Reporter: Yogesh Desai
>            Priority: Major
>              Labels: Vulnerability
>
> I have observed that Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively in .m2 folder. Since Log4j-1.X is strictly prohibited for use in many organisations, we had no other option that not using the plugin. Please plan to fix this issue and get rid of the log4j-1.X dependency. Thanks!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)