ring

Franklin 2021-12-17T08:14:05.020Z

any word on how the log4j vulnerability is being handled?

2021-12-17T11:23:17.020500Z

Does Ring depend on log4j?

Franklin 2021-12-17T12:10:14.020700Z

@magnars I'm not certain, but ring depends on Jetty and jetty depends on log4j

Franklin 2021-12-17T12:11:54.020900Z

whenever I start my ring server I get these warnings, which have led me to think it depends on log4j

log4j:WARN No appenders could be found for logger (org.eclipse.jetty.util.log).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See  for more in

2021-12-17T12:15:12.021100Z

Running lein deps :tree on my project, it does not list log4j under jetty. From what I can understand, jetty uses slf4j.

👍 1
Franklin 2021-12-17T13:02:34.021400Z

thanks... lein deps :tree helped me identify who's bringing in log4j

2021-12-17T13:05:20.021600Z

Excellent 🙂 glad to help!

Franklin 2021-12-17T15:05:47.022200Z

@magnars I also noticed that shttps://github.com/qos-ch/slf4j/blob/master/slf4j-log4j12/pom.xml, could that be a problem?

emccue 2021-12-17T16:44:21.022500Z

slf4j doesnt, sl4fj-log4j does

Franklin 2021-12-18T04:38:44.022700Z

how do I install slf4j without a dependency on log4j?

Franklin 2021-12-18T04:39:01.022900Z

can't seem to find one that does not use log4j

weavejester 2021-12-18T04:51:53.023100Z

slf4j-jdk14 uses Java’s logging system

weavejester 2021-12-18T04:54:41.023300Z

You could also use log4j 2.16 which (may?) be safe now.

weavejester 2021-12-18T04:56:17.023500Z

But as mentioned, Ring has no dependency on Log4J.

Franklin 2021-12-18T05:06:41.023700Z

@weavejester is there any recommended middleware for logging?

Franklin 2021-12-18T05:07:07.024Z

one which logs requests in their final state? with response status codes