-
-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maven-project dependency pulls in log4j1 #364
Comments
DRoppelt
changed the title
maven-project dependency pulls in log4j1 dependency
maven-project dependency pulls in log4j1
Nov 3, 2022
Related #369 |
@aleksandr-m do you have a timeline on releasing this? Maybe a |
Any news on that for a next 1.19.1? Is there a maven repository available, where the version "1.19.1-SNAPSHOT" - currently on master branch - can be pulled? |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
very much appreciate your project here.
We have some security scans on our maven build agents and they keep flagging "someone uses log4j1!", so we investigated and found your plugin to be the one that eventually leads to log4j.jar to be present in build cache.
It seems like the project is using some alpha depedencies from 2009 (maven-project). Which seems to be replaced by
maven-core
(which this plugin also depends on).Any way you would consider cleaning up that dependency tree?
I am not familiar with plugin development, I would submit a PR if you'd like.
How to reproduce:
mvn dependency:tree > tree.log && grep -i "gitflow" -A 80 tree.log
The text was updated successfully, but these errors were encountered: