Closed
Description
Every library that depends on org.neo4j:neo4j-logging:jar:4.2.4 provides potentially another vector into that whole thing, as we do shade Log4j2 for reasons I don’t understand.
That means, that the offending class, JndiLookup is in that jar. Under org.neo4j.logging.shaded.log4j.core.lookup.JndiLookup.
So it is not enough to grab for log4j2-core, but we must also check for the neo4j-logging.
neo4j-graphql-java has that dependency in test scope