serverless / serverless Public
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
serverless/lib/plugins/create/templates/aws-kotlin-jvm-gradle/build.gradle , because this file have log4j 2.13 version #10370
Comments
|
@JuanBermudezN PR's welcome! |
|
In the same plugin the version of aws-lambda-java-log4j2 is 1.2.0 and AWS recommends updating to version 1.3.0 |
Do you know if updating org.apache.logging.log4j:log4j-api:2.13.3 to org.apache.logging.log4j:log4j-api:2.16.0, |
|
@JuanBermudezN No, unfortunately I'm not familiar with Java runtime handling |
|
@JuanBermudezN I believe it does not include any breaking changes and we should upgrade it in the templates to 2.16.0 at least - PRs are welcome to address that for all our existing templates. Additionally, as @MarinaMeza pointed out, we should also update
PRs for that change would also be very welcome |
|
I created a PR for the AWS upgrade only since there's another PR for updating the other two dependencies |
|
Hello @varun73 and @MarinaMeza - there seems to be a bit of overlap between your corresponding PRs - I don't want any of you stepping on each others toes, could we agree what part each of you would like to cover? That way we could avoid unnecessary work when both of you cover the same thing. |
|
Hi @pgrzesik , I can revert back aws library changes and only keep the apache log4j changes. @MarinaMeza Has covered all the aws log4j changes. |
|
That would be great @varun73 - sorry for the confusion and big thanks to both of you for addressing this |
|
@pgrzesik No problem, I have reverted the aws library change. There should be no overlap now. |
|
They found a new vulnerability in version 2.16.0, there is a new update for the log4j, 2.17.0, also a new version of the aws-lambda-java-log4j2 to 1.5.0, I will try to make the PR to the repository. |
|
@pgrzesik Hello, good afternoon, one question, do you know when you are going to launch a new release with the log4j changes? |
|
Hello @JuanBermudezN - it should be released sometime this week |
Are you certain it's a bug?
Is the issue caused by a plugin?
Are you using the latest version?
Is there an existing issue for this?
Issue description
Hello, good morning, I want to know if you are going to update the version of log4j on the following plugin :plugins/create/templates/aws-kotlin-jvm-gradle/build.gradle , because this file have log4j 2.13 versions:
rg.apache.logging.log4j:log4j-api:2.13.3',
'org.apache.logging.log4j:log4j-core:2.13.3',
thank you.
Service configuration (serverless.yml) content
N/ACommand name and used flags
N/A
Command output
Environment information
The text was updated successfully, but these errors were encountered: