any word on how the log4j vulnerability is being handled?
https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/
Does Ring depend on log4j?
@magnars I'm not certain, but ring depends on Jetty and jetty depends on log4j
whenever I start my ring server I get these warnings, which have led me to think it depends on log4j
log4j:WARN No appenders could be found for logger (org.eclipse.jetty.util.log).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See for more in Running lein deps :tree on my project, it does not list log4j under jetty. From what I can understand, jetty uses slf4j.
thanks... lein deps :tree helped me identify who's bringing in log4j
Excellent 🙂 glad to help!
@magnars I also noticed that shttps://github.com/qos-ch/slf4j/blob/master/slf4j-log4j12/pom.xml, could that be a problem?
slf4j doesnt, sl4fj-log4j does
how do I install slf4j without a dependency on log4j?
can't seem to find one that does not use log4j
slf4j-jdk14 uses Java’s logging system
You could also use log4j 2.16 which (may?) be safe now.
But as mentioned, Ring has no dependency on Log4J.
@weavejester is there any recommended middleware for logging?
one which logs requests in their final state? with response status codes