You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tapestry.apache.org by "Thiago Henrique De Paula Figueiredo (Jira)" <ji...@apache.org> on 2022/03/06 21:21:00 UTC

[jira] [Closed] (TAP5-2704) quickstart should use later log4j2

     [ https://issues.apache.org/jira/browse/TAP5-2704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thiago Henrique De Paula Figueiredo closed TAP5-2704.
-----------------------------------------------------
    Fix Version/s: 5.8.1
       Resolution: Fixed

Thank you very much for these suggestions, [~timcu]!  I've implemented all the library and Maven plugin version upgrades.

> quickstart should use later log4j2
> ----------------------------------
>
>                 Key: TAP5-2704
>                 URL: https://issues.apache.org/jira/browse/TAP5-2704
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: quickstart
>    Affects Versions: 5.8.0
>            Reporter: D Tim Cummings
>            Assignee: Thiago Henrique De Paula Figueiredo
>            Priority: Major
>             Fix For: 5.8.1
>
>
> Although not as vulnerable as earlier versions, quickstart is using a log4j2 which is still vulnerable. Please upgrade from 2.16.0 to 2.17.1
> While doing that, "mvn versions:display-dependency-updates" shows the following libraries which can be updated. I think the jackson update is a security fix.
> com.fasterxml.jackson.core:jackson-core ............. 2.12.5 -> 2.13.1
> com.fasterxml.jackson.core:jackson-databind ......... 2.12.5 -> 2.13.1
> com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ..2.12.5 -> 2.13.1
> org.eclipse:yasson ....................................2.0.2 -> 2.0.4
> org.junit.jupiter:junit-jupiter .......................5.7.2 -> 5.8.2
> Also "mvn versions:display-plugin-updates" gives warnings that the following plugins do not have versions specified so they could be added to the build section of pom.xml.
> [WARNING] The following plugins do not have their version specified:
> [WARNING]   maven-clean-plugin ...................... (from super-pom) 3.1.0
> [WARNING]   maven-deploy-plugin .................. (from super-pom) 3.0.0-M1
> [WARNING]   maven-install-plugin ................. (from super-pom) 3.0.0-M1
> [WARNING]   maven-resources-plugin .................. (from super-pom) 3.2.0
> [WARNING]   maven-site-plugin ....................... (from super-pom) 3.9.1



--
This message was sent by Atlassian Jira
(v8.20.1#820001)