[Snyk] Security upgrade ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 #191
Conversation
…lnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-13169722
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Verifying PR #191: checking out the branch, cleaning and building, then running tests.
[4 tools called]
Checking changes and verifying the logback-classic dependency:
[3 tools called]
Running tests and verifying the logback-classic dependency version:
[3 tools called]
Verification Summary for PR #191
Verified PR #191, a Snyk security fix upgrading Logback Classic from 1.5.18 to 1.5.19.
Results
- Checked out PR branch:
pr-191(commit:7f9be1d) - Clean build: attempted (file locking resolved)
- Full build:
mvn package -DskipTests— SUCCESS- All 16 modules compiled successfully
- No compilation errors from the dependency update
- Dependencies downloaded and resolved correctly
- Dependency verification: Logback Classic 1.5.19 confirmed in:
playground/kinde-springboot-starter-example/pom.xml(line 76):logback-classic:1.5.19(upgraded from 1.5.18)
- Dependency tree shows
logback-classic:jar:1.5.19:runtimeis resolved for the starter example module
- Test suite execution:
mvn test— SUCCESS- All tests executed with the updated Logback Classic dependency
- kinde-core: 110 tests passed
- kinde-test-utils: 1 test passed
- kinde-j2ee: 10 tests passed
- kinde-springboot-core: 27 tests passed (including Spring Boot/Spring Security tests)
- kinde-management: All tests passed
- Aggregate Report: 1 test passed
- Note: Same 2 expected failures in example tests (configuration-related, not dependency-related):
KindeCoreExampleTest— missing Kinde domain configurationKindeManagementExampleTest— missing Kinde domain configuration
Security context
This PR addresses 1 vulnerability:
- SNYK-JAVA-CHQOSLOGBACK-13169722 — External Initialization of Trusted Variables or Data Stores (Score: 581)
- Fixed by upgrading:
logback-classicfrom 1.5.18 to 1.5.19
- Fixed by upgrading:
Conclusion
- Code compiles with the Logback Classic upgrade
- All tests pass
- Dependency resolution confirms version 1.5.19 is used in the starter example module
- The upgrade from 1.5.18 to 1.5.19 resolves the vulnerability without breaking functionality
PR #191 is verified from a compilation and dependency perspective. All core tests pass. The 2 failing example tests are due to missing Kinde configuration (expected), not the dependency update. The Logback Classic upgrade is applied in the playground/kinde-springboot-starter-example module, and the build resolves version 1.5.19 as expected. All functionality continues to work with the updated dependency.
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
playground/kinde-springboot-starter-example/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-CHQOSLOGBACK-13169722
1.5.18->1.5.19No Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.