Skip to content

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.17.2 to 2.26.0#12

Open
m-mohamedin wants to merge 1 commit into
devfrom
snyk-upgrade-63257b3a655bac0a8239211755f4b03e
Open

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.17.2 to 2.26.0#12
m-mohamedin wants to merge 1 commit into
devfrom
snyk-upgrade-63257b3a655bac0a8239211755f4b03e

Conversation

@m-mohamedin

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-api from 2.17.2 to 2.26.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 19 versions ahead of your current version.

  • The recommended version was released 2 months ago.

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-api from 2.17.2 to 2.26.0.

See this package in maven:
org.apache.logging.log4j:log4j-api

See this project in Snyk:
https://app.snyk.io/org/davidjgraph/project/0289bfe9-c88a-43cc-95b1-f540bf9f60b0?utm_source=github&utm_medium=referral&page=upgrade-pr
@m-mohamedin

Copy link
Copy Markdown
Author

Merge Risk: Medium

This upgrade of the Log4j API from version 2.17.2 to 2.26.0 introduces several changes and deprecations that require review.

Key Changes:

  • Java Version: The minimum required Java version remains Java 8.
  • Builder Method Deprecation: So-called "wither" methods in builder classes have been deprecated in favor of standard setters. This is to improve consistency for the upcoming Log4j 3. While not a breaking change yet, it is recommended to update code to use the new setter methods.
  • Stricter Configuration: Unnamed scripts in a global <Scripts> configuration element will now cause a ConfigurationException. All such scripts must be explicitly named.
  • Date/Time Formatting: The legacy custom date and time formatters are now deprecated in favor of Java's standard DateTimeFormatter. This could lead to changes in log message timestamps. A system property (log4j2.instantFormatter=legacy) can be used to temporarily revert to the old behavior if formatting issues arise.
  • JMS Appender: A new log4j-jakarta-jms module has been introduced, and the previous Javax-based JMS appender is now deprecated.

Recommendation:
Review your Log4j configuration to ensure any global scripts are named. Check if your application uses builder classes for programmatic configuration and plan to migrate from with... methods to setters. After upgrading, verify log output to ensure date/time formats are as expected.

Source: Apache Log4j 2.26.0 Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants