Skip to content

build(deps): bump the logging group across 1 directory with 2 updates#23

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/logging-e2941cc391
Open

build(deps): bump the logging group across 1 directory with 2 updates#23
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/logging-e2941cc391

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the logging group with 2 updates in the / directory: org.slf4j:slf4j-api and ch.qos.logback:logback-classic.

Updates org.slf4j:slf4j-api from 2.0.17 to 2.0.18

Updates ch.qos.logback:logback-classic from 1.5.18 to 1.5.38

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.38

2026-07-09 Release of logback version 1.5.38

• In HardenedObjectInputStream, fixed a typo preventing Throwable objects from being white-filtered. This issue was reported in [PR #1045](qos-ch/logback#1045) by t0rchwo0d.

• A bitwise identical binary of this version can be reproduced by building from source code at commit d04984a41fce42977466f45a2f076f0ee5cc4207 associated with the tag v_1.5.38. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.37

2026-06-26 Release of logback version 1.5.37

  1. • Given the numerous vulnerabilities related to conditional configuration processing based on the evaluation of Java expressions using the Janino library, support for such expressions has been removed. Users are offered the an online migration service or the <condition> element introduced in version 1.5.20. See the relevant documentation for more details.

• A bitwise identical binary of this version can be reproduced by building from source code at commit c1df7f522e648eec7b4ef6a12c8758fec0f00048 associated with the tag v_1.5.37. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.36

2026-06-25 Release of logback version 1.5.36

• The 'condition' attribute in <if> elements now reject certain references that are associated with ACE attacks. This issue was reported by "yulate" (yulate531@gmail.com.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 9b94c37562bf25a6a944146701d42ee6c4eee888 associated with the tag v_1.5.36. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.35

026-06-23 Release of logback version 1.5.35

• The 'condition' attribute in <if> elements now rejects unicode escape sequences (\u and \U). This closes a bypass of the existing prohibition on the new operator in Janino-evaluated conditions. This issue was reported by IcySun (icysun@qq.com) and registered as CVE-2026-13006. Please note that version 1.5.37 provides the full fix to this vulnerability.

• Added ConfiguratorRank.AUTHENTICATING (rank 100), the highest configurator rank, for certified/authenticating configurators discovered via the ServiceLoader mechanism. ContextInitializer now requires that at most one such configurator exist on the classpath; if more than one is found, initialization aborts with an error.

ConsoleCharsetPropertyDefiner is no longer shipped. The Java 21 multi-release compilation of logback-core has been disabled, which removes this class from the published artifact. Configurations that referenced ch.qos.logback.core.property.ConsoleCharsetPropertyDefiner will need an alternative approach for console charset detection.

• The logback-examples module is now included in artifacts published to Maven Central.

JoranConfigurator.makeAnotherInstance() and DefaultJoranConfigurator.performMultiStepConfigurationFileSearch() are now protected, allowing derived configurators to override these methods.

• A bitwise identical binary of this version can be reproduced by building from source code at commit 08bd1598d565d83444f72983935e7da4746783b7 associated with the tag v_1.5.35. Release built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Logback 1.5.33

2026-05-27 Release of logback version 1.5.33

PropertiesConfiguratorModelHandler now registers properties file URLs to the ConfigurationWatchList when scan is enabled (via local scan="true" attribute or top-level configuration scan), ensuring changes are detected and reconfiguration occurs. This problem was reported in issues/1034.

... (truncated)

Commits
  • d04984a prepare release 1.5.38
  • 4fffda6 updateversion of maven-gpg-plugin
  • 7ee48a1 Fixed a typo where java,lang.Throwable was written with a comma instead of a ...
  • 84580a2 remove license profile
  • f817c8d start work on 1.5.28-SNAPSHOT
  • c1df7f5 prepare release 1.5.37
  • a189967 remove conditional based on janino
  • aaa9052 start work on 1.5.37-SNAPSHOT
  • 9b94c37 prepare release 1.5.36
  • e6a8280 prevent attacks using disallowed references
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot changed the title build(deps): bump the logging group with 2 updates build(deps): bump the logging group across 1 directory with 2 updates Jun 10, 2026
@dependabot
dependabot Bot force-pushed the dependabot/maven/logging-e2941cc391 branch from 0a6a484 to 0a2861f Compare June 10, 2026 16:54
@dependabot
dependabot Bot force-pushed the dependabot/maven/logging-e2941cc391 branch 2 times, most recently from 6223e5c to 2453974 Compare June 24, 2026 16:54
@dependabot
dependabot Bot force-pushed the dependabot/maven/logging-e2941cc391 branch from 2453974 to 9da516f Compare July 1, 2026 16:58
@dependabot
dependabot Bot requested a review from sbharatjoshi as a code owner July 1, 2026 16:58
@dependabot
dependabot Bot force-pushed the dependabot/maven/logging-e2941cc391 branch from 9da516f to 6f63e3e Compare July 8, 2026 16:54
Bumps the logging group with 2 updates in the / directory: org.slf4j:slf4j-api and [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback).


Updates `org.slf4j:slf4j-api` from 2.0.17 to 2.0.18

Updates `ch.qos.logback:logback-classic` from 1.5.18 to 1.5.38
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](qos-ch/logback@v_1.5.18...v_1.5.38)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.34
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: logging
- dependency-name: org.slf4j:slf4j-api
  dependency-version: 2.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: logging
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/maven/logging-e2941cc391 branch from 6f63e3e to eae7416 Compare July 15, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants