Skip to content

[SCA] Security upgrade @org.apache.logging.log4j:log4j-api from 2.7 to 2.25.4 #182

Open
gwnlng wants to merge 1 commit intomainfrom
snyk-upgrade-4cb1d3dc31587ca65846a19b22b896ea
Open

[SCA] Security upgrade @org.apache.logging.log4j:log4j-api from 2.7 to 2.25.4 #182
gwnlng wants to merge 1 commit intomainfrom
snyk-upgrade-4cb1d3dc31587ca65846a19b22b896ea

Conversation

@gwnlng
Copy link
Copy Markdown
Owner

@gwnlng gwnlng commented Apr 27, 2026

snyk-top-banner

This is a PR from Snyk, initiated by the Security team, to fix 0 vulnerabilities in the dependencies of this project.

Snyk changed the following file(s):

  • todolist-goof/todolist-web-struts/pom.xml

Important

  • This PR was automatically generated by our security tool to help you fix known vulnerabilities in your project's third-party libraries more efficiently. However, there is a possibility that these changes could introduce functional regressions or breakages. Please ensure you test this PR thoroughly before merging.
  • If you have any questions or concerns, please seek support in the #sca-support Slack channel.

References:

  1. Latest project report in Snyk
  2. How to access Snyk via SSO?
  3. Snyk knowledge base

@snyk-bot
fix: upgrade org.apache.logging.log4j:log4j-api from 2.7 to 2.25.4
2b4cc0c 
Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-api from 2.7 to 2.25.4.

See this package in maven:
org.apache.logging.log4j:log4j-api

See this project in Snyk:
https://app.snyk.io/org/gwunleong.lee/project/6d8f8930-2793-4d67-b2df-cc34344f7a1d?utm_source=github&utm_medium=referral&page=upgrade-pr
@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 27, 2026

Merge Risk: Medium

This is a significant upgrade across multiple versions of Log4j 2. While the log4j-api itself maintains binary compatibility, the underlying runtime requirements have changed, which presents the primary breaking change.

Key Changes:

  • Java Version Requirement: The most critical change is the required Java version. Log4j 2.25.4 requires a minimum of Java 8. The starting version, 2.7, supported Java 7, but support for Java 7 was dropped in version 2.12.4. Any application still running on Java 7 will fail to start.
  • API Compatibility: The log4j-api is designed to be backward compatible. The release notes for recent versions confirm that the API maintains binary compatibility with previous 2.x releases, so code-level changes to your application's logging calls should not be necessary.
  • Removed Modules: Several modules, including log4j-mongodb3, log4j-flume-ng, and log4j-kubernetes, are no longer part of the main Log4j release and have their own release lifecycles. If you use these specific appenders, you will need to manage their dependencies separately.

Recommendation:
Verify that your application is running on Java 8 or a later version before applying this upgrade. If you are on Java 7, you must upgrade your JDK first. If you are using any of the removed modules, check for their new, separate artifacts.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 27, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gwnlng @snyk-bot