Commit 87c3d8b
fix(deps): upgrade shadow plugin to resolve log4j-core XmlLayout vuln (COMP-1573)
The com.github.johnrengelman.shadow 8.1.1 build plugin transitively bundled
org.apache.logging.log4j:log4j-core 2.20.0 in the build tooling classpath, which
is affected by CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4 (XmlLayout fails to sanitize
characters forbidden by the XML 1.0 spec; fixed in log4j-core 2.25.4).
Migrate to the successor plugin com.gradleup.shadow 9.5.0, which ships
log4j-core 2.26.1 (>= 2.25.4). Shadow 9.x requires Gradle 9, so the Gradle
wrapper is bumped 8.13 -> 9.6.1 and the GraalVM native-build-tools plugin
0.10.6 -> 1.1.3 (first line to support Gradle 9). Verified: shadowJar builds
and all tests pass under Gradle 9.6.1.
See: https://github.com/seqeralabs/wave-cli/security/dependabot/16
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 9655b24 commit 87c3d8b
2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
4 | | - | |
5 | | - | |
| 4 | + | |
| 5 | + | |
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
0 commit comments