Update logback version to address vulnerability (#37501)

damccorm · web-flow · commit beec6a3e156d · 2026-02-05T10:59:53.000-05:00
diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle
@@ -50,10 +50,9 @@ configurations.runtimeClasspath {
     }
   }
 
-  // Pin logback to 1.5.20
-  // Cannot upgrade to io modules due to logback 1.4.x dropped Java 8 support
-  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.20"
-  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.20"
+  // Pin logback to 1.5.27 to resolve CVE-2026-1225
+  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27"
+  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27"
 }
 
 shadowJar {

Original file line number	Diff line number	Diff line change
`@@ -50,10 +50,9 @@ configurations.runtimeClasspath {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`- // Pin logback to 1.5.20`
`54`		`- // Cannot upgrade to io modules due to logback 1.4.x dropped Java 8 support`
`55`		`- resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.20"`
`56`		`- resolutionStrategy.force "ch.qos.logback:logback-core:1.5.20"`
	`53`	`+ // Pin logback to 1.5.27 to resolve CVE-2026-1225`
	`54`	`+ resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27"`
	`55`	`+ resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27"`
`57`	`56`	`}`
`58`	`57`
`59`	`58`	`shadowJar {`