From 932c939f67a6459eb4d00689f0e6ff79a9a13169 Mon Sep 17 00:00:00 2001
From: Reinier Zwitserloot <r.zwitserloot@projectlombok.org>
Date: Sat, 18 Dec 2021 17:47:22 +0100
Subject: [#3063] Whilst lombok is not vulnerable to Log4Shell, we do have the
 dependency on log4j, solely for testing purposes, and no user input is ever
 logged with it. Nevertheless, pushing the dep to 2.17 to avoid false
 positives from vulnerability scanners ruining the day.

---
 buildScripts/ivy.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'buildScripts/ivy.xml')

diff --git a/buildScripts/ivy.xml b/buildScripts/ivy.xml
index ab9ddf6e..736f3eb1 100644
--- a/buildScripts/ivy.xml
+++ b/buildScripts/ivy.xml
@@ -45,7 +45,7 @@
 		<!-- test deps -->
 		<dependency org="junit" name="junit" rev="4.8.2" conf="test->default; sources" />
 		<dependency org="log4j" name="log4j" rev="1.2.17" conf="test->default; sources" />
-		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.16.0" conf="test->default; sources" />
+		<dependency org="org.apache.logging.log4j" name="log4j-api" rev="2.17.0" conf="test->default; sources" />
 		<dependency org="commons-logging" name="commons-logging" rev="1.2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-api" rev="1.8.0-beta2" conf="test->default; sources" />
 		<dependency org="org.slf4j" name="slf4j-ext" rev="1.8.0-beta2" conf="test->default; sources" />
-- 
cgit