Skip to content

build(deps): Upgrade logback to 1.5.18 #1933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 11, 2025
Merged

build(deps): Upgrade logback to 1.5.18 #1933

merged 1 commit into from
Jul 11, 2025

Conversation

phipag
Copy link
Contributor

@phipag phipag commented Jul 11, 2025

Summary

Addressing https://github.com/aws-powertools/powertools-lambda-java/security/dependabot/66

Patched version is now in dependency tree:

❯ mvn dependency:tree | grep logback-core
[INFO] |  \- ch.qos.logback:logback-core:jar:1.5.18:compile

Changes

Issue number: #1917

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

@phipag phipag requested a review from dreamorosi July 11, 2025 09:43
@phipag phipag self-assigned this Jul 11, 2025
@phipag phipag added the dependencies Pull requests that update a dependency file label Jul 11, 2025
@phipag phipag moved this to Pending review in Powertools for AWS Lambda (Java) Jul 11, 2025
@github-actions
Copy link
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ❌ 1 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

powertools-logging/powertools-logging-logback/pom.xml

PackageVersionLicenseIssue Type
ch.qos.logback:logback-core1.5.18EPL-1.0 AND LGPL-2.1 AND LGPL-2.1-onlyIncompatible License
ch.qos.logback:logback-classic1.5.18NullUnknown License
Allowed Licenses: Apache-1.1, Apache-2.0, ISC, MIT, MIT-0, MIT-CMU, MIT-enna, MIT-feh, MIT-Festival, MIT-Modern-Variant, MIT-open-group, MIT-testregex, MIT-Wu, BSD-1-Clause, BSD-2-Clause, BSD-2-Clause-Views, BSD-3-Clause, BSD-3-Clause-Attribution, BSD-3-Clause-Clear, BSD-3-Clause-flex, BSD-3-Clause-HP, BSD-3-Clause-LBNL, BSD-3-Clause-Modification, BSD-3-Clause-No-Military-License, BSD-3-Clause-No-Nuclear-License, BSD-3-Clause-No-Nuclear-License-2014, BSD-3-Clause-No-Nuclear-Warranty, BSD-3-Clause-Open-MPI

OpenSSF Scorecard

PackageVersionScoreDetails
maven/ch.qos.logback:logback-classic 1.5.18 🟢 6.4
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 20 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
SAST⚠️ 0no SAST tool detected
License🟢 9license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
maven/ch.qos.logback:logback-core 1.5.18 🟢 6.4
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 20 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 2
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
SAST⚠️ 0no SAST tool detected
License🟢 9license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected

Scanned Files

  • powertools-logging/powertools-logging-logback/pom.xml

@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@phipag phipag merged commit 22b8e6c into main Jul 11, 2025
14 of 15 checks passed
@phipag phipag deleted the phipag/logback-upgrade branch July 11, 2025 09:53
@github-project-automation github-project-automation bot moved this from Pending review to Coming soon in Powertools for AWS Lambda (Java) Jul 11, 2025
@phipag phipag linked an issue Jul 11, 2025 that may be closed by this pull request
Maintenance: Address dependabot alerts #1917
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dreamorosi dreamorosi dreamorosi approved these changes

Assignees

@phipag phipag

Labels

dependencies Pull requests that update a dependency file size/XS

Projects

Powertools for AWS Lambda (Java)
Status: Coming soon

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Maintenance: Address dependabot alerts

2 participants

@phipag @dreamorosi