[slf4j-dev] Outdated log4j dependency
Ralph Goers
ralph.goers at dslextreme.com
Fri Jul 16 09:46:05 CEST 2021
The SLF4J API does not have a dependency on any logging implementation, including log4j 1.2. If you do not want the binding to log4j 1.2 simply do not include the slf4j-log4j12 jar.
Log4j 2 provides the binding between the SLF4J API and Log4j’s API. This is done by including the log4j-slf4j or log4j-slf4j18 jars provided by Log4j 2. Note that while the log4j-slf4j18 jar will provide some compatibility with slf4j-2.0, a new bridge will be required to fully support it as there are new classes in SLF4J 2.0 that must be accessed at compile time to take advantage of those features, and that cannot be done in log4j-slf4j18 without breaking backward compatibility.
FWIW, Log4j 2 also provides the log4j-1.2-api binding which allows the log4j-1.2.17 jar to be removed and routes calls to log4j-1.2 to log4j 2 instead.
Finally, you could use the Log4j 2 API instead of SLF4J if you want. It provides all the features of SLF4J - i.e. it does not lock you into using the Log4j 2 implementation.
Ralph
> On Jul 15, 2021, at 8:34 PM, Florian Pöhr <florian.poehr at nomapo.com> wrote:
>
> Dear Slf4j team,
>
> I noticed that when using Slf4j with log4j the dependency that gets pulled by Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end of life in 2015 (see http://logging.apache.org/log4j/1.2/download.html).
>
> This leads to the following problems:
>
> * Log4J 1.2.17 contains a security vulnerability (see https://nvd.nist.gov/vuln/detail/CVE-2019-17571 )
> * Log4J 1.2.17 contains a dirty bugfix that messes up the java module system (see https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11 )
>
> Therefore I wanted to ask: are there any plans to switch to a newer Log4J 2.x version in the near future? I guess I am not the only one having problems with this dependency.
>
> Best regards,
>
> Florian Poehr
>
> _______________________________________________
> slf4j-dev mailing list
> slf4j-dev at qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-dev
More information about the slf4j-dev
mailing list