Fork me on GitHub
#ring
<
2021-12-17
>
Franklin08:12:05

any word on how the log4j vulnerability is being handled?

magnars11:12:17

Does Ring depend on log4j?

Franklin12:12:14

@U07FCNURX I'm not certain, but ring depends on Jetty and jetty depends on log4j

Franklin12:12:54

whenever I start my ring server I get these warnings, which have led me to think it depends on log4j

log4j:WARN No appenders could be found for logger (org.eclipse.jetty.util.log).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See  for more in

magnars12:12:12

Running lein deps :tree on my project, it does not list log4j under jetty. From what I can understand, jetty uses slf4j.

👍 1
Franklin13:12:34

thanks... lein deps :tree helped me identify who's bringing in log4j

magnars13:12:20

Excellent 🙂 glad to help!

emccue16:12:21

slf4j doesnt, sl4fj-log4j does

Franklin04:12:44

how do I install slf4j without a dependency on log4j?

Franklin04:12:01

can't seem to find one that does not use log4j

weavejester04:12:53

slf4j-jdk14 uses Java’s logging system

weavejester04:12:41

You could also use log4j 2.16 which (may?) be safe now.

weavejester04:12:17

But as mentioned, Ring has no dependency on Log4J.

Franklin05:12:41

@U0BKWMG5B is there any recommended middleware for logging?

Franklin05:12:07

one which logs requests in their final state? with response status codes