mapneat
mapneat copied to clipboard
nomemory
Update dependency to resolve issue relating to log4j CVE
A critical CVE has been discovered in Log4J that requires immediate resolution.
Further detail can be found here and here.
A dependency update is required of log4j dependencies to resolve.
@ReidWeb thank you for mentioning. I will take care of it as soon as I find some available time.
Thanks, hopefully should find the time later to get something in to this effect
@ReidWeb created a new version with your PR. Thank you for the contributions.
New version is: 0.9.8
Because of the log4j incident, the MVN central is working atrociously slow. It might take a while to sync, so it's best if you try tomorrow.
Understandable, think a few repos were having that issue yesterday
It's been found overnight that the fix is incomplete in 2.15.0, will file a PR for that if you don't get to it before I can.
Having some difficulties importing this into our project, don't see any tags or releases in your repo, do you know which commit in the repo corresponds to the 0.9.6 release?
From reviewing the git commitlog, looks like #23 added a good number of changes.
#23 never appears to have been released independently, 0.9.6 was in February, this PR was merged in October?
So has only just been released with 0.9.8 from what i can see.
We're facing an issue utilising the module
Cannot access 'org.apache.logging.log4j.kotlin.Logging' which is a supertype of 'net.andreinc.mapneat.dsl.MapNeat'
The constructor of MapNeat appears to have changed and would seem to correspond to the error we're facing? i.e. seems this PR introduced a breaking change from what i'm reading?
Would it be at all possible to correct this? From my experience I'd recommend either:
- A change reverting this change introduced in #23 and release that again inline with semver
- A change correcting this constructor? If possible? Not quite sure if it is?
Apologies if any of the above isn't correct, I'm by no means an expert in Kotlin or the JVM.
Digging deeper on this
For published version 0.9.6 of Mapneat, IntelliJ IDEA reports the dependency as looking like so
Whereas with 0.9.8 it resolves as a flat dependency
Was 0.9.6 built and published with maven?
I think there's a problem with the gradle version I've used to build up everything. Gradle is a nightmare when it comes to breaking changes. I need to take a deeper look to understand what is happening. I had/have limited time because the log4j incident was also problematic at work...
I will comeback with some answers.
Yes, there was a skip in versions.
I think the problem is not with the constructor but with the way the jar is built.
I will comeback with an answer hopefully soon.
Meanwhile there's a agnostic fix to the log4j problem with running an agent. Use that.
Sorry for the inconvenience.
Tried to submit another fix to maven central:
maven2): Failed to transfer file: https://oss.sonatype.org/service/local/staging/deploy/maven2/net/andreinc/mapneat/0.9.9/mapneat-0.9.9.pom.asc. Return code is: 405, ReasonPhrase: Not Allowed.
Method not allowed during maintenance
Things are getting more complicated...
I will retry again later or tomorrow.
Thanks for the update, we managed to bypass by enforcing a platform level dependency. I'll dig out the line tomorrow
@ReidWeb can you please try again with:
0.9.9
If you are still experiencing problems (the constructor change should be backwards compatible), can you please:
- Tell me if you are using the library from Java or from Kotlin;
- Can you give me a small sample of code that was working before the #23 and not working anymore?
All issues and concerns resolved with the implementation of 0.9.9. Thanks Andrei
I think this broke again in 1.0.0:
e: /Users/wfisher/Desktop/Backend/backend/src/test/java/org/lirr/backend/test/helper/TestUtilsTest.kt: (61, 13): Cannot access 'org.apache.logging.log4j.kotlin.Logging' which is a supertype of 'net.andreinc.mapneat.dsl.MapNeat'. Check your module classpath for missing or conflicting dependencies
But it's working on 0.9.9 so I just dowgranded.
@wafisher i will take another look this week to see why it's broken. Had some terrible times with maven central and gradle lately, so I need to get a closer anyways.
Thank you for stopping by.