security: force log4j-core 2.25.4 in buildscript classpath (Dependabot #12 #18 #19)#225
Open
jhamon wants to merge 1 commit into
Open
security: force log4j-core 2.25.4 in buildscript classpath (Dependabot #12 #18 #19)#225jhamon wants to merge 1 commit into
jhamon wants to merge 1 commit into
Conversation
…N-43) log4j-core 2.20.0 is pulled into the Gradle *buildscript* classpath by the Shadow 8.1.1 plugin (build-time only, never in the published JAR). Dependabot alerts #12, #18, #19 flag three CVEs (GHSA-vc5p-v9hr-52mj, GHSA-3pxv-7cmr-fjr4, GHSA-6hg6-v5c8-fphq). Fix: add force constraints alongside the existing commons-io/plexus-utils pins in the buildscript resolutionStrategy block. Also forces log4j-api to 2.25.4 for API/core consistency. Verified: ./gradlew buildEnvironment shows log4j-core 2.20.0 -> 2.25.4; ./gradlew compileJava BUILD SUCCESSFUL. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves 3 open medium Dependabot alerts on pinecone-java-client (PIN-28 / PIN-43).
Root cause: log4j-core is pulled into the Gradle buildscript classpath (not the published JAR) by the Shadow 8.1.1 Gradle plugin. Dependabot correctly flags it as a direct dep in
build.gradlebecause the Shadow plugin declaration is direct.Fix: added
force 'org.apache.logging.log4j:log4j-core:2.25.4'andlog4j-api:2.25.4to the existingbuildscript.configurations.classpath.resolutionStrategyblock alongside the prior commons-io and plexus-utils pins. This is build-time only — the published artifact is unaffected.Verification
./gradlew buildEnvironmentshows log4j-core 2.20.0 → 2.25.4 ✅./gradlew compileJava→ BUILD SUCCESSFUL ✅Note
Low Risk
Build-time dependency resolution only; no runtime or published-library dependency changes.
Overview
Pins log4j-core and log4j-api to 2.25.4 in the existing
buildscriptresolutionStrategy.forceblock, alongside the commons-io and plexus-utils pins.This addresses Dependabot alerts for vulnerable log4j-core 2.20.0 pulled transitively onto the Gradle build JVM classpath by the Shadow plugin—not into the published client JAR. Comments document the related GHSA/CVE references.
Reviewed by Cursor Bugbot for commit 8f8ab77. Bugbot is set up for automated code reviews on this repo. Configure here.