Skip to content

CHK-13035: Fix dependabot alert 31: upgrade logback to 1.5.25 (CVE-2026-1225) #325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pboos wants to merge 1 commit into from
Closed

CHK-13035: Fix dependabot alert 31: upgrade logback to 1.5.25 (CVE-2026-1225) #325

pboos wants to merge 1 commit into from
+14 −0

Conversation

@pboos
Copy link
Contributor

@pboos pboos commented Feb 10, 2026

Summary

  • Upgrades ch.qos.logback:logback-core from 1.5.21 to 1.5.25 to fix CVE-2026-1225 (ACE vulnerability in logback configuration file processing)
  • Logback is a transitive dependency via Spring Boot 4.0.0's BOM — Spring Boot hasn't released a version with the fix yet
  • Uses both resolutionStrategy (for subprojects using platform(SpringBootPlugin.BOM_COORDINATES)) and ext['logback.version'] (for subprojects using io.spring.dependency-management plugin) to ensure all subprojects resolve to 1.5.25

Changes

  • gradle/libs.versions.toml: Added logback = "1.5.25" version and library entries
  • build.gradle: Added resolution strategy and ext property override in subprojects block

Verification

  • All subprojects resolve logback-core to 1.5.25 (verified via ./gradlew dependencies)
  • Compilation and tests pass (./gradlew compileJava compileTestJava test)

@pboos pboos changed the title Fix dependabot alert 31: upgrade logback to 1.5.25 (CVE-2026-1225) CHK-13035: Fix dependabot alert 31: upgrade logback to 1.5.25 (CVE-2026-1225) Feb 10, 2026
@pboos
Copy link
Contributor Author

pboos commented Feb 10, 2026

not needed as spring boot update fixed the dependabot issue

@pboos pboos closed this Feb 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catarina-correia catarina-correia catarina-correia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pboos @catarina-correia