deps: update dependency ch.qos.logback:logback-core to v1.5.19 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
ch.qos.logback:logback-core (source, changelog)	1.3.15 -> 1.5.19
ch.qos.logback:logback-core (source, changelog)	1.5.16 -> 1.5.19

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-11226

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution.

A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a crucial security update, upgrading the logback-core dependency to version 1.5.19. This update is essential to mitigate CVE-2025-11226, an arbitrary code execution vulnerability present in previous versions of the library. By incorporating this patch, the project enhances its security posture against potential exploits related to conditional configuration file processing.

Highlights

• Security Update: Upgraded the ch.qos.logback:logback-core dependency to version 1.5.19 to address CVE-2025-11226, a critical arbitrary code execution vulnerability.
• Vulnerability Details: The vulnerability affects logback-core versions up to 1.5.18 and could allow arbitrary code execution under specific conditions, including the presence of the Janino library and Spring Framework, and write access to configuration files or environment variables.
• Dependency Scope: The logback-core dependency, used within the test scope, was updated from both 1.5.16 and 1.3.15 to the patched 1.5.19.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the ch.qos.logback:logback-core dependency to version 1.5.19 to address a security vulnerability. The update is applied in two separate Maven profiles within java-showcase/gapic-showcase/pom.xml.

While the intention to patch a security vulnerability is correct, the changes as proposed introduce issues:

1. In the slf4j2_logback profile, logback-core is updated but logback-classic is left at an older version, creating a version mismatch that is risky.
2. In the disabledLogging profile, updating logback-core to 1.5.19 creates a critical incompatibility with the SLF4J 1.x API used in that profile, which will cause runtime failures. This profile seems to have pre-existing version inconsistencies that are exacerbated by this change.

I have added detailed comments on the respective lines with explanations and suggestions for how to resolve these issues.

[gemini-code-assist]

This update introduces a critical incompatibility. The disabledLogging profile uses slf4j-api:1.7.36 (defined on line 330), but logback-core version 1.5.19 requires slf4j-api version 2.0.0 or higher. This mismatch will cause runtime errors like NoSuchMethodError.

This profile also has a version mismatch between logback-classic:1.2.13 and logback-core:1.5.19.

The previous version 1.3.15 was also incompatible with SLF4J 1.7.x.

To resolve this, the logging dependencies in this profile must be aligned. Given the other dependencies in this profile (slf4j-api:1.7.36 and logback-classic:1.2.13), it seems this profile is intended for SLF4J 1.x. If so, logback-core should be a version compatible with that, like 1.2.13. If an upgrade is necessary for security, the entire logging stack in this profile (slf4j-api, logback-classic, logback-core) should be upgraded to compatible versions (e.g., SLF4J 2.x and Logback 1.5.x).

[gemini-code-assist]

While updating logback-core to 1.5.19 is correct for the security fix, the corresponding logback-classic dependency on line 247 is still at 1.5.16. It is best practice to keep all modules of Logback at the same version to prevent potential runtime issues. Please consider updating logback-classic to 1.5.19 as well in this profile.