From 8f8ab774dc8762650d1eb402a28db98e324d33b5 Mon Sep 17 00:00:00 2001 From: jhamon Date: Sat, 11 Jul 2026 16:30:25 -0400 Subject: [PATCH] security: force log4j-core 2.25.4 in buildscript classpath (PIN-28/PIN-43) log4j-core 2.20.0 is pulled into the Gradle *buildscript* classpath by the Shadow 8.1.1 plugin (build-time only, never in the published JAR). Dependabot alerts #12, #18, #19 flag three CVEs (GHSA-vc5p-v9hr-52mj, GHSA-3pxv-7cmr-fjr4, GHSA-6hg6-v5c8-fphq). Fix: add force constraints alongside the existing commons-io/plexus-utils pins in the buildscript resolutionStrategy block. Also forces log4j-api to 2.25.4 for API/core consistency. Verified: ./gradlew buildEnvironment shows log4j-core 2.20.0 -> 2.25.4; ./gradlew compileJava BUILD SUCCESSFUL. Co-Authored-By: Claude Opus 4.8 --- build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index 5074defc..32b90c2f 100644 --- a/build.gradle +++ b/build.gradle @@ -5,10 +5,13 @@ buildscript { // Dependabot alerts: // - commons-io 2.11.0 -> CVE-2024-47554 (fixed in 2.14.0) // - plexus-utils 3.5.1 -> CVE-2025-67030 (fixed in 3.6.1) + // - log4j-core 2.20.0 -> multiple CVEs (fixed in 2.25.4) — GHSA-vc5p-v9hr-52mj, GHSA-3pxv-7cmr-fjr4, GHSA-6hg6-v5c8-fphq configurations.classpath { resolutionStrategy { force 'commons-io:commons-io:2.18.0' force 'org.codehaus.plexus:plexus-utils:3.6.1' + force 'org.apache.logging.log4j:log4j-core:2.25.4' + force 'org.apache.logging.log4j:log4j-api:2.25.4' } } }