opennms icon indicating copy to clipboard operation
opennms copied to clipboard
verified publisher icon OpenNMS

build(deps): bump log4j2Version from 2.21.1 to 2.22.1

Open dependabot[bot] opened this issue 2 years ago • 1 comments

Bumps log4j2Version from 2.21.1 to 2.22.1. Updates org.apache.logging.log4j:log4j-bom from 2.21.1 to 2.22.1

Release notes

Sourced from org.apache.logging.log4j:log4j-bom's releases.

2.22.1

This release contains only dependency upgrades and bug fixes, which do not change the behavior of the artifacts.

While maintaining compatibility with Java 8, the artifacts in this release where generated using JDK 17, unlike version 2.22.0 that used JDK 11.

Fixed

  • Mark JdkMapAdapterStringMap as frozen if map is immutable. (#2098)
  • Fix NPE in CloseableThreadContext. (#1426)
  • Use the module name of Conversant Media Disruptor from version 1.2.16+ of the library.
  • Fix NPE in RollingFileManager. (#1645)
  • Fix log4j-to-slf4j JPMS and OSGi descriptors. (#1983)
  • Workaround a Coursier/Ivy dependency resolution bug affecting log4j-slf4j-impl and log4j-mongodb3. (#2065)

Updated

  • Bumped the minimum Java version required for the build to Java 17. Runtime requirements remain unchanged. (#2021)
  • Update com.github.luben:zstd-jni to version 1.5.5-11 (#2030)
  • Update com.google.guava:guava to version 33.0.0-jre (#2110)
  • Update commons-codec:commons-codec to version 1.16.0 (#2042)
  • Update commons-io:commons-io to version 2.15.1 (#2034)
  • Update commons-logging:commons-logging to version 1.3.0 (#2050)
  • Update io.netty:netty-bom to version 4.1.104.Final (#2095)
  • Update org.apache.commons:commons-compress to version 1.25.0 (#2045)
  • Update org.apache.commons:commons-dbcp2 to version 2.11.0 (#2048)
  • Update org.apache.commons:commons-lang3 to version 3.14.0 (#2047)
  • Update org.apache.commons:commons-pool2 to version 2.12.0 (#2057)
  • Update org.apache.kafka:kafka-clients to version 3.6.1 (#2068)
  • Update org.apache.logging:logging-parent to version 10.5.0 (#2119)
  • Update org.jctools:jctools-core to version 4.0.2 (#1984)
  • Update org.springframework.boot:spring-boot to version 2.7.18 (#1998)
  • Update org.springframework.cloud:spring-cloud-dependencies to version 2021.0.9 (#2109)

2.22.0

This releases provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact and contains bug fixes addressing issues in the JPMS & OSGi infrastructure overhauled in 2.21.0, dependency updates, and some other minor fixes and improvements.

CycloneDX Software Bill of Materials (SBOM)

This is the first Log4j release that provides a CycloneDX Software Bill of Materials (SBOM) along with each artifact. Generated SBOMs are attached as artifacts with cyclonedx classifier and XML extensions, that is, <artifactId>-<version>-cyclonedx.xml. They contain vulnerability-assertion references to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. This VDR is accessible through the following URL: https://logging.apache.org/cyclonedx/vdr.xml[]

SBOM generation is streamlined by logging-parent, see its website for details.

Changed

  • Change the order of evaluation of FormattedMessage formatters. Messages are evaluated using java.util.Format only if they don't comply to the java.text.MessageFormat or ParameterizedMessage format. (#1223)
  • Change default encoding of HTTP Basic Authentication to UTF-8 and add log4j2.configurationAuthorizationEncoding property to overwrite it. (#1970)
  • Update com.fasterxml.jackson:jackson-bom to version 2.16.0 (#1974)
  • Update com.github.luben:zstd-jni to version 1.5.5-10 (#1940)
  • Update com.google.guava:guava to version 32.1.3-jre (#1875)
  • Update io.netty:netty-bom to version 4.1.101.Final (#1960)

... (truncated)

Commits
  • 8469975 Release changelog for version 2.22.1
  • edd35da Update the project.build.outputTimestamp property
  • 34a38fd Add license to .htaccess files
  • 497bb54 Replace HTML redirect with HTTP redirect
  • cf4df91 Improve release notes
  • 814ba1e Remove META-INF/versions leftovers before compilation
  • 6a0953a Update the project.build.outputTimestamp property
  • 462225d Delete generated module descriptors before recompilation
  • 7d98af1 Release changelog for version 2.22.1
  • d013473 Update the project.build.outputTimestamp property
  • Additional commits viewable in compare view

Updates org.apache.logging.log4j:log4j-slf4j-impl from 2.21.1 to 2.22.1

Updates org.apache.logging.log4j:log4j-api from 2.21.1 to 2.22.1

Updates org.apache.logging.log4j:log4j-core from 2.21.1 to 2.22.1

Updates org.apache.logging.log4j:log4j-1.2-api from 2.21.1 to 2.22.1

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] avatar Jan 03 '24 19:01 dependabot[bot]

@dependabot rebase

RangerRick avatar Jan 19 '24 16:01 RangerRick

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar Apr 03 '24 14:04 dependabot[bot]