Skip to content

security: force log4j-core 2.25.4 in buildscript classpath (Dependabot #12 #18 #19)#225

Open
jhamon wants to merge 1 commit into
mainfrom
security/pin-log4j-buildscript
Open

security: force log4j-core 2.25.4 in buildscript classpath (Dependabot #12 #18 #19)#225
jhamon wants to merge 1 commit into
mainfrom
security/pin-log4j-buildscript

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves 3 open medium Dependabot alerts on pinecone-java-client (PIN-28 / PIN-43).

Alert Package Change Sev
#12 #18 #19 org.apache.logging.log4j:log4j-core 2.20.0 → 2.25.4 medium

Root cause: log4j-core is pulled into the Gradle buildscript classpath (not the published JAR) by the Shadow 8.1.1 Gradle plugin. Dependabot correctly flags it as a direct dep in build.gradle because the Shadow plugin declaration is direct.

Fix: added force 'org.apache.logging.log4j:log4j-core:2.25.4' and log4j-api:2.25.4 to the existing buildscript.configurations.classpath.resolutionStrategy block alongside the prior commons-io and plexus-utils pins. This is build-time only — the published artifact is unaffected.

Verification

  • ./gradlew buildEnvironment shows log4j-core 2.20.0 → 2.25.4 ✅
  • ./gradlew compileJava → BUILD SUCCESSFUL ✅

Note

Low Risk
Build-time dependency resolution only; no runtime or published-library dependency changes.

Overview
Pins log4j-core and log4j-api to 2.25.4 in the existing buildscript resolutionStrategy.force block, alongside the commons-io and plexus-utils pins.

This addresses Dependabot alerts for vulnerable log4j-core 2.20.0 pulled transitively onto the Gradle build JVM classpath by the Shadow plugin—not into the published client JAR. Comments document the related GHSA/CVE references.

Reviewed by Cursor Bugbot for commit 8f8ab77. Bugbot is set up for automated code reviews on this repo. Configure here.

…N-43)

log4j-core 2.20.0 is pulled into the Gradle *buildscript* classpath by the
Shadow 8.1.1 plugin (build-time only, never in the published JAR). Dependabot
alerts #12, #18, #19 flag three CVEs (GHSA-vc5p-v9hr-52mj, GHSA-3pxv-7cmr-fjr4,
GHSA-6hg6-v5c8-fphq). Fix: add force constraints alongside the existing
commons-io/plexus-utils pins in the buildscript resolutionStrategy block.

Also forces log4j-api to 2.25.4 for API/core consistency.

Verified: ./gradlew buildEnvironment shows log4j-core 2.20.0 -> 2.25.4;
./gradlew compileJava BUILD SUCCESSFUL.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant